16.1. Introduction

Network problems such as faults and security attacks are expressed in a network as one or more symptoms (e.g., alarms, logs, troupe tickets). Network problem diagnosis is the process of correlating or analyzing the observed symptoms in order to identify the root cause. As network faults and security attacks might show similar symptoms, it is possible to incorrectly identify faults as security attacks or vice versa. For example, host/network reachablility problems could be due to either a denial of service (DoS) attack or link or protocol failure. These cause more false alarms and incorrect response actions. Therefore, integrating fault and security management is important for practical network management systems in order to diagnose and fix problems accurately.

Fault and security intrusion diagnosis exhibit a similar reasoning process that includes symptom collection, correlation, and evaluation. This makes the integration of fault and security management even more sensible. However, to achieve an optimal integration, a number of challenges need to be addressed. First, the root cause for a symptom should be accurately identified even with incomplete symptom information. Second, the problem identification should be fast to account for high-speed networks and wide distribution of sensors (e.g., intrusion detection system, or IDS).

In Section 16.2, we present an active problem diagnosis framework for integrating the reasoning of fault or security alarms within the same engine. The presented framework uses this active diagnosis approach to deal with incomplete symptom information and identify faults and intrusions. In Section 16.3, we show an architecture for network-based IDSs that analyzes traffic collected from different sensors on a high-speed network, identifies faults and intrusions, and initiates proper mitigation actions for various intrusions.