1 / 20

Chapter 9: Cooperation in Intrusion Detection Networks

Chapter 9: Cooperation in Intrusion Detection Networks. Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing. Network Intrusions. Unwanted traffic or computer activities that may be malicious and destructive Denial of Service Identity theft

yamin
Download Presentation

Chapter 9: Cooperation in Intrusion Detection Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing

  2. Network Intrusions • Unwanted traffic or computer activities that may be malicious and destructive • Denial of Service • Identity theft • Spam mails • Single-host intrusion • Cooperative attacks

  3. Intrusion Detection Systems • Designed to monitor network traffic or computer activities and alert administrators for suspicious intrusions • Signature-based and anomaly-based • Host-based and network-based

  4. Figure 1. An example of host-based IDS and Network-based IDS

  5. Cooperative IDS • IDSs use collective information from others to make more accurate intrusion detection • Several features of CIDN • Topology • Cooperation Scope • Specialization • Cooperation Technology

  6. Cooperation Technology • Data Correlation • Trust Management • Load balance

  7. Table 1. Classification of Cooperative Intrusion Detection Networks

  8. Indra • A early proposal on Cooperative intrusion detection • Cooperation nodes take proactive approach to share black list with others

  9. DOMINO • Monitor internet outbreaks for large-scale networks • Nodes are organized hierarchically • Different roles are assigned to nodes

  10. Dshield • A centralized firewall log correlation system • Data is from the SANS internet storm center • Not a real time analysis system • Data payload is removed for privacy concern

  11. NetShield • A fully distributed system to monitor epidemic worm and DoS attacks • The DHT Chord P2P system is used to load-balance the participating nodes • Alarm is triggered if the local prevalence of a content block exceeds a threshold • Only works on worms with fixed attacking traces, not work on polymorphic worms

  12. Gossip-based Intrusion Detection • A local epidemic worm monitoring system • A local detector raises a alert when the number of newly created connections exceeds a threshold • A Bayesian network analysis system is used to correlate and aggregate alerts

  13. ABDIAS • Agent-based Distributed alert system • IDSs are grouped into communities • Intra-community/inter-community communication • A Bayesian network system is used to make decisions

  14. CRIM • A centralized system to collect alerts from participating IDSs • Alert correlation rules are generated by humans offline • New rules are used to detect global-wide intrusions

  15. Host-based CIDS • A cooperative intrusion system where IDSs share detection experience with others • Alerts from one host is sent to neighbors for analysis • Feedback is aggregated based on the trust-worthiness of the neighbor • Trust values are updated after every interaction experience

  16. ALPACAS • A cooperative spam filtering system • Preserve the privacy of the email owners • A p2p system is used for the scalability of the system • Emails are divided into feature trunks and digested into feature finger prints

  17. SmartScreen • Phsihing URL filtering system in IE8 • Allow users to report phishing websites • A centralized decision system to analyze collected data and make generate the blacklist • Users browsing a phishing site will be warned by SmartScreen

  18. FFCIDN • A collaborative intrusion detection network to detect fastflux botnet • Observe the number of unique IP addresses a domain has. • A threshold is derived to decide whether the domain is a fastflux phishing domain

  19. Open Challenges • Privacy of the exchanged information • Incentive of IDS cooperation • Botnet detection and removal

  20. Conclusion • CIDNs use collective information from participants to achieve higher intrusion detection accuracy • A taxonomy to categorize different CIDNs • Four features are proposed for the taxonomy • The future challenges include how to encourage participation and provide privacy for data-sharing among IDSs

More Related