How can we model the agents in architecture, what is good practice to secure the goals and objectives of an agent?
Do you have any examples?
Could you be a little more specific? Are you examining a network IDS based architecture or a host based architecture? Is only for detection or also for prevention?
I'll give you a practical view. One very general approach is to first know the behavior of the network the IDS is protecting. To build the network baseline your IDS first has to analyze your traffic and analysts have to “clean findings”. In other words, in the beginning you network probe or host agent will have a high amount of “false positives.”
You may construct a model based on certain assumptions. For example, if you web infrastructure is based on PHP or Java code, you can disable any .net based signatures in the IDS. This serves two purposes, first it lowers the learning time of the IDS, and second it enhances the IDS performance. Unfortunately, that initial assumption value is very limited.
Although some literature presents the idea that IDS works out of the box, if you really want to have a working implementation the tuning of your solution is critical. Then it's where your network traffic baseline comes into place. Even in solutions based on heuristics analysis, I haven't seen the first solution that does not require experienced human intervention to examine results and performs that tuning based on some knowledge from the examined network.
Assuming that you network probe is examining inbound Internet traffic, an obvious disadvantage is the lack of visibility of encrypted traffic directed to your network. Therefore, a combination of host based protection or log analysis of endpoint devices will complement what your network probe is inspecting.
- Badges
- Science topic