The next generation of intrusion detection and cyber defense technologies must be highly flexible so that deployed solutions can be quickly modified to detect new attack scenarios. They must also be able to provide the performance necessary to monitor traffic from high speed networks, and scale to enterprise wide deployments. In this paper we describe our experiences in creating a production application for cyber situational awareness. The application exploits the capabilities of several independently developed components and integrates them using SIFT (Scalable Information Fusion and Triage), a service-oriented architecture (SOA) designed for creating domain-independent, enterprise scale analytical applications. SIFT exploits a common design pattern for composing analytical components, and extends an existing messaging platform with scaling capabilities. We describe the design of the application, and provide a performance analysis that demonstrates the capabilities of the SIFT platform. The paper concludes by discussing the lessons we have learned from this project, and outlines the architecture of the MeDICI, the next generation of our enterprise analytics platforms.
Revised: March 11, 2008 |
Published: February 1, 2008
Citation
Wynne A.S., I. Gorton, J.P. Almquist, J. Chatterton, and D.A. Thurman. 2008.A Flexible, High Performance Service-Oriented Architecture for Detecting Cyber Attacks. In Proceedings of the 41st Annual Hawaii International Conference on System Sciences, 263. Los Alamitos, California:IEEE Computer Society.PNNL-SA-56843.doi:10.1109/HICSS.2008.19