Transcript Cooperation in Intrusion Detection Networks

Chapter 9: Cooperation in
Intrusion Detection Networks
Authors: Carol Fung and Raouf Boutaba
Editors: M. S. Obaidat and S. Misra
Jon Wiley & Sons publishing
Network Intrusions
• Unwanted traffic or computer activities that
may be malicious and destructive
– Denial of Service
– Identity theft
– Spam mails
• Single-host intrusion
• Cooperative attacks
Intrusion Detection Systems
• Designed to monitor network traffic or
computer activities and alert
administrators for suspicious intrusions
– Signature-based and anomaly-based
– Host-based and network-based
Figure 1. An example of host-based IDS and Network-based IDS
Cooperative IDS
• IDSs use collective information from
others to make more accurate intrusion
detection
• Several features of CIDN
– Topology
– Cooperation Scope
– Specialization
– Cooperation Technology
Cooperation Technology
• Data Correlation
• Trust Management
• Load balance
IDN
Topology
Scope
Specialization
Technology and algorithm
Indra
Distributed
Local
Worm
-
DOMINO
Decentralized
Hybrid
Worm
-
DShield
Centralized
Global
General
Data Correlation
NetShield
Distributed
Global
Worm
Load-balancing
Gossip
Distributed
Local
Worm
-
Worminator
-
Global
Worm
-
ABDIAS
Decentralized
Hybrid
General
Trust Management
CRIM
Centralized
Local
General
Data Correlation
HBCIDS
Distributed
Global
General
Trust Management
ALPACAS
Distributed
Global
Spam
Load-balancing
CDDHT
Decentralized
Local
General
-
SmartScreen
Centralized
Global
Phishing
-
FFCIDN
Centralized
Global
Botnet
Data correlation
Table 1. Classification of Cooperative Intrusion Detection Networks
Indra
• A early proposal on Cooperative intrusion
detection
• Cooperation
nodes take
proactive approach
to share black list
with others
DOMINO
• Monitor internet
outbreaks for
large-scale
networks
• Nodes are
organized
hierarchically
• Different roles are
assigned to nodes
Dshield
• A centralized firewall log correlation
system
• Data is from the SANS internet storm
center
• Not a real time analysis system
• Data payload is removed for privacy
concern
NetShield
• A fully distributed system to monitor
epidemic worm and DoS attacks
• The DHT Chord P2P system is used to
load-balance the participating nodes
• Alarm is triggered if the local prevalence of
a content block exceeds a threshold
• Only works on worms with fixed attacking
traces, not work on polymorphic worms
Gossip-based Intrusion Detection
• A local epidemic worm monitoring system
• A local detector raises a alert when the
number of newly created connections
exceeds a threshold
• A Bayesian network analysis system is
used to correlate and aggregate alerts
ABDIAS
•
•
•
•
Agent-based Distributed alert system
IDSs are grouped into communities
Intra-community/inter-community communication
A Bayesian network system is used to make decisions
CRIM
• A centralized system to collect alerts from
participating IDSs
• Alert correlation rules are generated by
humans offline
• New rules are used to detect global-wide
intrusions
Host-based CIDS
• A cooperative intrusion system where
IDSs share detection experience with
others
• Alerts from one host is sent to neighbors
for analysis
• Feedback is aggregated based on the
trust-worthiness of the neighbor
• Trust values are updated after every
interaction experience
ALPACAS
• A cooperative spam filtering system
• Preserve the privacy of the email owners
• A p2p system is used for the scalability of
the system
• Emails are divided into feature trunks and
digested into feature finger prints
SmartScreen
• Phsihing URL filtering system in IE8
• Allow users to report phishing websites
• A centralized decision system to analyze
collected data and make generate the
blacklist
• Users browsing a phishing site will be
warned by SmartScreen
FFCIDN
• A collaborative intrusion detection network
to detect fastflux botnet
• Observe the number of unique IP
addresses a domain has.
• A threshold is derived to decide whether
the domain is a fastflux phishing domain
Open Challenges
• Privacy of the exchanged information
• Incentive of IDS cooperation
• Botnet detection and removal
Conclusion
• CIDNs use collective information from
participants to achieve higher intrusion
detection accuracy
• A taxonomy to categorize different CIDNs
– Four features are proposed for the taxonomy
• The future challenges include how to
encourage participation and provide
privacy for data-sharing among IDSs