Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba...
-
Upload
jacob-thompson -
Category
Documents
-
view
219 -
download
2
Transcript of Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba...
Chapter 9: Cooperation in Intrusion Detection Networks
Authors: Carol Fung and Raouf Boutaba
Editors: M. S. Obaidat and S. Misra
Jon Wiley & Sons publishing
Network Intrusions
• Unwanted traffic or computer activities that may be malicious and destructive– Denial of Service– Identity theft– Spam mails
• Single-host intrusion
• Cooperative attacks
Intrusion Detection Systems
• Designed to monitor network traffic or computer activities and alert administrators for suspicious intrusions– Signature-based and anomaly-based– Host-based and network-based
Figure 1. An example of host-based IDS and Network-based IDS
Cooperative IDS
• IDSs use collective information from others to make more accurate intrusion detection
• Several features of CIDN– Topology– Cooperation Scope– Specialization– Cooperation Technology
Cooperation Technology
• Data Correlation
• Trust Management
• Load balance
Table 1. Classification of Cooperative Intrusion Detection Networks
IDN Topology Scope Specialization Technology and algorithm
Indra Distributed Local Worm -
DOMINO Decentralized Hybrid Worm -
DShield Centralized Global General Data Correlation
NetShield Distributed Global Worm Load-balancing
Gossip Distributed Local Worm -
Worminator - Global Worm -
ABDIAS Decentralized Hybrid General Trust Management
CRIM Centralized Local General Data Correlation
HBCIDS Distributed Global General Trust Management
ALPACAS Distributed Global Spam Load-balancing
CDDHT Decentralized Local General -
SmartScreen Centralized Global Phishing -
FFCIDN Centralized Global Botnet Data correlation
Indra• A early proposal on Cooperative intrusion
detection
• Cooperation nodes take proactive approach to share black list with others
DOMINO• Monitor internet
outbreaks for large-scale networks
• Nodes are organized hierarchically
• Different roles are assigned to nodes
Dshield
• A centralized firewall log correlation system
• Data is from the SANS internet storm center
• Not a real time analysis system
• Data payload is removed for privacy concern
NetShield
• A fully distributed system to monitor epidemic worm and DoS attacks
• The DHT Chord P2P system is used to load-balance the participating nodes
• Alarm is triggered if the local prevalence of a content block exceeds a threshold
• Only works on worms with fixed attacking traces, not work on polymorphic worms
Gossip-based Intrusion Detection
• A local epidemic worm monitoring system
• A local detector raises a alert when the number of newly created connections exceeds a threshold
• A Bayesian network analysis system is used to correlate and aggregate alerts
ABDIAS• Agent-based Distributed alert system• IDSs are grouped into communities• Intra-community/inter-community communication• A Bayesian network system is used to make decisions
CRIM
• A centralized system to collect alerts from participating IDSs
• Alert correlation rules are generated by humans offline
• New rules are used to detect global-wide intrusions
Host-based CIDS
• A cooperative intrusion system where IDSs share detection experience with others
• Alerts from one host is sent to neighbors for analysis
• Feedback is aggregated based on the trust-worthiness of the neighbor
• Trust values are updated after every interaction experience
ALPACAS
• A cooperative spam filtering system
• Preserve the privacy of the email owners
• A p2p system is used for the scalability of the system
• Emails are divided into feature trunks and digested into feature finger prints
SmartScreen
• Phsihing URL filtering system in IE8
• Allow users to report phishing websites
• A centralized decision system to analyze collected data and make generate the blacklist
• Users browsing a phishing site will be warned by SmartScreen
FFCIDN
• A collaborative intrusion detection network to detect fastflux botnet
• Observe the number of unique IP addresses a domain has.
• A threshold is derived to decide whether the domain is a fastflux phishing domain
Open Challenges
• Privacy of the exchanged information
• Incentive of IDS cooperation
• Botnet detection and removal
Conclusion
• CIDNs use collective information from participants to achieve higher intrusion detection accuracy
• A taxonomy to categorize different CIDNs– Four features are proposed for the taxonomy
• The future challenges include how to encourage participation and provide privacy for data-sharing among IDSs