CARDS: A DISTRIBUTED SYSTEM FOR DETECTING COORDINATED ATTACKS Jiahai Yang, Peng Ning, X. Sean Wang, and Sushil Jajodia Center for Secure Information Systems George Mason University Fairfax, VA 22030, USA yjh, pning, xywang, jajodia @ise.gmu.edu Abstract A major research problem in intrusion detection is the efficient Detection of coordinated attacks over large networks. Issues to be resolved include determin- ing what data should be collected, which portion of the data should be analyzed, where the analysis of the data should take place, and how to correlate multi-source information. This paper proposes the architecture of a Coordinated Attack Re- sponse & Detection System (CARDS). CARDS uses a signature-based model for resolving these issues. It consists of signature managers, monitors, and direc- tory services. The system collects data in a flexible, distributed manner, and the detection process is decentralized among various monitors and is event-driven. The paper also discusses related implementation issues. Keywords: computer networks, intrusion detection, misuse detection, network security 1. INTRODUCTION With the rapidly growing connectivity of the Internet, networked computer systems are fulfilling increasingly vital roles in our modern society. While the Internet has brought great benefits to this society, it has also made critical systems vulnerable to malicious attacks [3]. Coordinated attacks are increas- ingly popular among hackers; such attacks are difficult to detect and effectively defend. The conventional approach to secure a computer or network system is to build a protective shield around it (e.g., a firewall). Outsiders who need to access the system must be identified and authenticated [8]. Since such a preventive approach is not sufficient to provide sufficient security for a computer system, intrusion detection techniques are introduced as a second line of defense [2, 8]. Early intrusion detection system (IDS) models were designed to monitor the activities of a single host. Such models include Haystack [12] and SRI’s IDES [5, 7]. Later models accommodated the monitoring of a number of hosts in- 1