New York City
(800) 908-6656

Defense In Depth

The number of network security incidents grows with the scale of Internet year by year. The attacks can be classified as some categories: backdoor, password guessing, buffer overflow, port scanning, denial-of-service (here after referred to as DoS), distributed denial-of-service (here after referred to as DDoS), etc. The CERT® Coordinate Center [6], a center of Internet security expertise, has reported 831 vulnerabilities while the SNORT [7], has 2200 rules in the signature databases. DoS is harmful attack. The objective of an aggressor enforcing a DoS attack is not to intrude the designated system but to consume the resources of it. By sending malicious IP, ICMP, UDP or TCP packets to the designated system from single PC, an aggressor can easily do this because of the leak of TCP/IP protocol, which always allows a user to send a lot of packets.

Defense-in-Depth Network Security Architecture

For the headquarter, in addition to the IDS/IPS/LPS, a global policy server (GPS) is also equipped to monitor and control the behaviors of the IDS/IPS scattered over the branches. Each LPS equipped with a database to store the signatures as well as the collected local alerts/logs. The GPS is also equipped with a database for storing the logs sent from the LPSs. The security information management (SIM) module of the GPS has the responsibility to analyze the collected logs with data mining technologies to identify if there is any DDoS launched on the network. As long as DDoS attacks are identified by the GPS (unable been identified by individual IDS/IPS), it will send commands to control the scattered LPS (IDS/IPS) to eliminate the attacking packets leaked from the LANs by adjusting the detecting thresholds dynamically..

System architecture of Global Policy Server

The architecture of the GPS consists of four components: Security Information Management (SIM) module, Global Log Server (GLS), GUI, and the Global Database. The GUI provides the administrator a convenient interface to control the GPS. The GLS handles all the logs sent from the LPSs. To manage a large number of LPSs, the GLS should be able to handle many log connections simultaneously. To do this, the GLS props a fix number of threads to accept the log connection requests.


A defense in depth network security architecture that applies data mining technologies to analyze the alerts collected from distributed IDS/IPS has been proposed in this paper. The proposed defense in depth architecture consists of a GPS to manage the scattered intrusion detection and prevention systems, each of which is managed by a LPS. A security information management (SIM) module is designed for the GPS where data mining technology is employed to analyze the events (alerts) collected from the LPSs. Once a DDoS attack is detected by the SIM module, the GPS will inform the LPS (IDS/IPS) to adjust the thresholds immediately to block the attack from the sources. To further evaluate the effectiveness of the proposed architecture, a defense-in-depth network prototyping is implemented, and three data mining tools, RIPPER, DB2Miner are employed for detecting 30 types of events.