OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections

OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections

Intrusion Detection Systems (IDS) are used to prevent attacks by detecting potential harmful intrusion attempts. Currently, there are a set of available Open Source IDS with different characteristics. The Open Source Host-based Intrusion Detection System (OSSEC) supports multiple features and its im...

Full description

Bibliographic Details
Main Authors: Diogo Teixeira, Leonardo Assunção, Teresa Pereira, Silvestre Malta, Pedro Pinto
Format: Article
Language:English
Published: MDPI AG 2019-09-01
Series:Journal of Sensor and Actuator Networks
Subjects:
IDS
OSSEC
cybersecurity
information security
attack detection
security events
intrusions
Online Access:https://www.mdpi.com/2224-2708/8/3/46
id doaj-ce87c8fa7d64455f8d44e9458574720a
record_format Article
spelling doaj-ce87c8fa7d64455f8d44e9458574720a2020-11-25T01:51:12ZengMDPI AGJournal of Sensor and Actuator Networks2224-27082019-09-01834610.3390/jsan8030046jsan8030046OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative DetectionsDiogo Teixeira0Leonardo Assunção1Teresa Pereira2Silvestre Malta3Pedro Pinto4Instituto Politécnico de Viana do Castelo, 4900-347 Viana do Castelo, PortugalInstituto Politécnico de Viana do Castelo, 4900-347 Viana do Castelo, PortugalInstituto Politécnico de Viana do Castelo, 4900-347 Viana do Castelo and Centro Algoritmi, Universidade do Minho, 4800-058 Guimarães, PortugalInstituto Politécnico de Viana do Castelo, 4900-347 Viana do Castelo, Portugal and atlanTTic, Universidade de Vigo, E36310 Vigo, SpainInstituto Politécnico de Viana do Castelo, 4900-347 Viana do Castelo, ISMAI, and INESC TEC, 4200-465 Porto, PortugalIntrusion Detection Systems (IDS) are used to prevent attacks by detecting potential harmful intrusion attempts. Currently, there are a set of available Open Source IDS with different characteristics. The Open Source Host-based Intrusion Detection System (OSSEC) supports multiple features and its implementation consists of Agents that collect and send event logs to a Manager that analyzes and tests them against specific rules. In the Manager, if certain events match a specific rule, predefined actions are triggered in the Agents such as to block or unblock a particular IP address. However, once an action is triggered, the systems administrator is not able to centrally check and obtain detailed information of the past event logs. In addition, OSSEC may assume false positive or negative detections and their triggered actions: previously harmless but blocked IP addresses by OSSEC have to be unblocked in order to reestablish normal operation or potential harmful IP addresses not previously blocked by OSSEC should be blocked in order to increase protection levels. These operations to override OSSEC actions must be manually performed in every Agent, thus requiring time and human resources. Both these limitations have a higher impact on large scale OSSEC deployments assuming tens or hundreds of Agents. This paper proposes an extension to OSSEC that improves the administrator analysis capability by maintaining, organizing and presenting Agent logs in a central point, and it allows for blocking or unblocking IP addresses in order to override actions triggered by false detections. The proposed extension aims to increase efficiency of time and human resources management, mainly considering large scale OSSEC deployments.https://www.mdpi.com/2224-2708/8/3/46IDSOSSECcybersecurityinformation securityattack detectionsecurity eventsintrusions
collection DOAJ
language English
format Article
sources DOAJ
author Diogo Teixeira
Leonardo Assunção
Teresa Pereira
Silvestre Malta
Pedro Pinto
spellingShingle Diogo Teixeira
Leonardo Assunção
Teresa Pereira
Silvestre Malta
Pedro Pinto
OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections
Journal of Sensor and Actuator Networks
IDS
OSSEC
cybersecurity
information security
attack detection
security events
intrusions
author_facet Diogo Teixeira
Leonardo Assunção
Teresa Pereira
Silvestre Malta
Pedro Pinto
author_sort Diogo Teixeira
title OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections
title_short OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections
title_full OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections
title_fullStr OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections
title_full_unstemmed OSSEC IDS Extension to Improve Log Analysis and Override False Positive or Negative Detections
title_sort ossec ids extension to improve log analysis and override false positive or negative detections
publisher MDPI AG
series Journal of Sensor and Actuator Networks
issn 2224-2708
publishDate 2019-09-01
description Intrusion Detection Systems (IDS) are used to prevent attacks by detecting potential harmful intrusion attempts. Currently, there are a set of available Open Source IDS with different characteristics. The Open Source Host-based Intrusion Detection System (OSSEC) supports multiple features and its implementation consists of Agents that collect and send event logs to a Manager that analyzes and tests them against specific rules. In the Manager, if certain events match a specific rule, predefined actions are triggered in the Agents such as to block or unblock a particular IP address. However, once an action is triggered, the systems administrator is not able to centrally check and obtain detailed information of the past event logs. In addition, OSSEC may assume false positive or negative detections and their triggered actions: previously harmless but blocked IP addresses by OSSEC have to be unblocked in order to reestablish normal operation or potential harmful IP addresses not previously blocked by OSSEC should be blocked in order to increase protection levels. These operations to override OSSEC actions must be manually performed in every Agent, thus requiring time and human resources. Both these limitations have a higher impact on large scale OSSEC deployments assuming tens or hundreds of Agents. This paper proposes an extension to OSSEC that improves the administrator analysis capability by maintaining, organizing and presenting Agent logs in a central point, and it allows for blocking or unblocking IP addresses in order to override actions triggered by false detections. The proposed extension aims to increase efficiency of time and human resources management, mainly considering large scale OSSEC deployments.
topic IDS
OSSEC
cybersecurity
information security
attack detection
security events
intrusions
url https://www.mdpi.com/2224-2708/8/3/46
work_keys_str_mv AT diogoteixeira ossecidsextensiontoimproveloganalysisandoverridefalsepositiveornegativedetections
AT leonardoassuncao ossecidsextensiontoimproveloganalysisandoverridefalsepositiveornegativedetections
AT teresapereira ossecidsextensiontoimproveloganalysisandoverridefalsepositiveornegativedetections
AT silvestremalta ossecidsextensiontoimproveloganalysisandoverridefalsepositiveornegativedetections
AT pedropinto ossecidsextensiontoimproveloganalysisandoverridefalsepositiveornegativedetections
_version_ 1724997984379207680

Similar Items