MCSoft Security Solutions
 
Home
Projekte
Überblick

Netzwerk
CIS

Überblick
Architektur


MCSoft Projekt - Computer Immunsystem für Intrusions- und Virus Erkennung

Architecture of the Computer Immune System

The SNORT Framework consists of several layers of processing routines installed on each network node. The focus lies on the sensor installed in the preprocessor plugin layer and the corresponding monitor application. The sensor processes all the network traffic of the network node. It represents the main logic of the CIS. The sensor incorporates all the mechanisms for training and reacting on various activities of the detector set.
The monitor of the network node presents the status of the sensor to the user. It shows the ongoing activity in the detector set and provides a visual overview of all changes. The monitor also allows the user to react on a possible detected malicious code fragment in a packet. Furthermore, it is responsible for the communication with a central MYSQL-Database.
This database collects the most successful detectors of the whole computer immune system. Further it receives statistical information about the status of each network node. The monitor sends successful detectors, trained by the local sensor, to the central database. It eventually receives new ones which were trained by other network nodes. The monitor passes such newly received detectors to the sensor for implementation.
The database can also be read by external frameworks with a similar kind of environment. In this way successful detectors and incident reports can be provided to different work groups. The common data format for the information exchange with the database is IODEF (Incident Object Description and Exchange Format), a XML based format. The statistical information in the database is used to update the Web-Frontend of the computer immune system, where the status of the computer immune system can be viewed.

Figure 1: Architecture of the computer immune system (CIS). Each network node is equipped with a CIS sensor and a monitor application. The monitor applications are communicating with a database. The purpose is to update the statistics of the local training process and to upload successfully trained detectors, so that they can spread over the CIS.