For timely ZISC-related information, you are kindly invited to subscribe to the ZISC Announcements Mailing List.
This project has ended.
During the past years, Intrusion Management (IM) has developed by enhancing traditional, standalone Intrusion Detection Systems (IDSes) with additional functionality. Today, IM usually means the integration and collaboration of different components, including network and host-based IDSes, firewalls, routers, and anti-virus software. Integrating these components means that the events generated by the different components are no longer analysed in isolation, but are first sent to a centralised correlation engine, which correlates the events and decides to raise an alert or not. These alerts are then displayed at a centralised management console for further processing by humans. One advantage of this integration of components compared to standalone IDSes is increased accuracy, especially with regard to false positives. For example, if a network-based IDS detects an attack against a host but the attack traffic is blocked by a firewall, there is no need to raise an alert. A second advantage is better manageability, because all alerts of the entire security infrastructure are collected and displayed at a single place.
Beyond integrating different components, IM also makes use of additional information about the systems that must be protected to further increase the accuracy of the alerts. This is also known as target-based ID and involves (1) prioritisation of alerts because some hosts are more important than others and consequently, some alerts should be handled more quickly than others; (2) host context, which means periodical scanning of the hosts for known vulnerabilities and using this information in the correlation engine to determine if an attacked host is indeed vulnerable to an attack or not; and (3) network context, which means including the topology to decide which segments of the network need more attention with regard to attacks than others. As a simple example of including host context, one can imagine an attack exploiting a known vulnerability of the Internet Information Server (IIS): if the correlation engine “knows” that all IISes within the company are correctly patched or if the company does only run Apache web servers, there is no need to raise an alert.
The main motivation for this project is that although IM has matured significantly over time, several open issues remain. At this time, we identify three major problems:
The project is still in its very early stage and we are currently analysing which of the three problems we identified above is the most interesting and promising to be attacked within the context of this project. As soon we have a more detailed project description, this page will be updated.
Diese Website wird in älteren Versionen von Netscape ohne graphische Elemente dargestellt. Die Funktionalität der Website ist aber trotzdem gewährleistet. Wenn Sie diese Website regelmässig benutzen, empfehlen wir Ihnen, auf Ihrem Computer einen aktuellen Browser zu installieren. Weitere Informationen finden Sie auf
The content in this site is accessible to any browser or Internet device, however, some graphics will display correctly only in the newer versions of Netscape. To get the most out of our site we suggest you upgrade to a newer browser.