Cover V11, I08
aug2002.tar

DShield Principles

DShield.org's system was designed to be fast and scalable and to include a wide range of sensors. The initial challenge was to define the lowest data fidelity considered valuable to the system. We chose to focus only on very basic TCP/IP header information: date and time with one-second resolution, source and target IP and ports, protocol and flags. This allowed DShield.org to include a number of non-IDS packages, such as personal firewalls. While we lose some valuable information from other systems, such as IP and TCP options and packet content, we gain a large number of additional sensors. Also, the amount of data that has to be processed is reduced, allowing for a more agile system while increasing the number of sensors.

From the beginning, DShield.org rejected relying on signature-based recognition at the client. This would have significantly complicated integrating new IDS packages, as each one uses its own set of signatures and its own set of labels for any of the thousand or more different attacks these packages recognize.

We also decided not to issue any specific guidelines for users as to what event to submit or not to submit. Any such guideline would introduce a bias into the data and could skew it. Instead, if asked, DShield.org recommends the submission of any event perceived as "irregular" or "hostile" by the user.