16.4. Conclusion

Analyzing fault and security alarms is very crucial for identifying and localizing network problems such as failure or intrusions. In this chapter, we show how to integrate fault and security management to relieve the heavy burden of manual diagnostics by system administrators and improve the accuracy of fault and intrusion identification. In the first section, a novel technique called active integrated fault reasoning, or AIR, is presented. This technique is the first to seamlessly integrate passive and active fault reasoning in order to reduce fault detection times as well as improve the accuracy of fault diagnosis. AIR can be similarly used to correlate security alarms and identify potential intrusions or attacks. In case of incomplete symptoms to identify the root cause, AIR initiates an optimal active probing to investigate and identify the problem with reasonable certainly. The AIR approach is designed to minimize the intrusiveness of active probing via enhancing the fault hypothesis and optimizing the action selection process. Our simulation results show that AIR is robust and scalable even in extreme scenarios such as large network sizes and high spurious and symptom loss rates.

In the second section, we show how network-level intrusion detection systems can integrate fault and intrusion detection to avoid wrongly identifying faults as intrusions. This decreases false alerts that often make network administrators turn off IDS systems. Thus, it is of crucial importance to rapidly and accurately identify both faults and intrusions for network-based IDS systems. We propose the HiFIND system that leverages data streaming techniques such as the reversible sketch. In contrast to existing IDSs, HiFIND (1) separates anomalies to limit false positives in detection, (2) is scalable to flow-level detection on high-speed networks, (3) is DoS resilient, (4) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation, and (5) enables aggregate detection over multiple routers/gateways. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties.