Chapter 9: Cooperation in Intrusion Detection Networks

Authors: Carol Fung and Raouf Boutaba

Editors: M. S. Obaidat and S. Misra

Jon Wiley & Sons publishing

Network Intrusions

• Unwanted traffic or computer activities that may be malicious and destructive– Denial of Service– Identity theft– Spam mails

• Single-host intrusion

• Cooperative attacks

Intrusion Detection Systems

• Designed to monitor network traffic or computer activities and alert administrators for suspicious intrusions– Signature-based and anomaly-based– Host-based and network-based

Figure 1. An example of host-based IDS and Network-based IDS

Cooperative IDS

• IDSs use collective information from others to make more accurate intrusion detection

• Several features of CIDN– Topology– Cooperation Scope– Specialization– Cooperation Technology

Cooperation Technology

• Data Correlation

• Trust Management

• Load balance

Table 1. Classification of Cooperative Intrusion Detection Networks

IDN Topology Scope Specialization Technology and algorithm

Indra Distributed Local Worm -

DOMINO Decentralized Hybrid Worm -

DShield Centralized Global General Data Correlation

NetShield Distributed Global Worm Load-balancing

Gossip Distributed Local Worm -

Worminator - Global Worm -

ABDIAS Decentralized Hybrid General Trust Management

CRIM Centralized Local General Data Correlation

HBCIDS Distributed Global General Trust Management

ALPACAS Distributed Global Spam Load-balancing

CDDHT Decentralized Local General -

SmartScreen Centralized Global Phishing -

FFCIDN Centralized Global Botnet Data correlation

Indra• A early proposal on Cooperative intrusion

detection

• Cooperation nodes take proactive approach to share black list with others

DOMINO• Monitor internet

outbreaks for large-scale networks

• Nodes are organized hierarchically

• Different roles are assigned to nodes

Dshield

• A centralized firewall log correlation system

• Data is from the SANS internet storm center

• Not a real time analysis system

• Data payload is removed for privacy concern

NetShield

• A fully distributed system to monitor epidemic worm and DoS attacks

• The DHT Chord P2P system is used to load-balance the participating nodes

• Alarm is triggered if the local prevalence of a content block exceeds a threshold

• Only works on worms with fixed attacking traces, not work on polymorphic worms

Gossip-based Intrusion Detection

• A local epidemic worm monitoring system

• A local detector raises a alert when the number of newly created connections exceeds a threshold

• A Bayesian network analysis system is used to correlate and aggregate alerts

ABDIAS• Agent-based Distributed alert system• IDSs are grouped into communities• Intra-community/inter-community communication• A Bayesian network system is used to make decisions

CRIM

• A centralized system to collect alerts from participating IDSs

• Alert correlation rules are generated by humans offline

• New rules are used to detect global-wide intrusions

Host-based CIDS

• A cooperative intrusion system where IDSs share detection experience with others

• Alerts from one host is sent to neighbors for analysis

• Feedback is aggregated based on the trust-worthiness of the neighbor

• Trust values are updated after every interaction experience

ALPACAS

• A cooperative spam filtering system

• Preserve the privacy of the email owners

• A p2p system is used for the scalability of the system

• Emails are divided into feature trunks and digested into feature finger prints

SmartScreen

• Phsihing URL filtering system in IE8

• Allow users to report phishing websites

• A centralized decision system to analyze collected data and make generate the blacklist

• Users browsing a phishing site will be warned by SmartScreen

FFCIDN

• A collaborative intrusion detection network to detect fastflux botnet

• Observe the number of unique IP addresses a domain has.

• A threshold is derived to decide whether the domain is a fastflux phishing domain

Open Challenges

• Privacy of the exchanged information

• Incentive of IDS cooperation

• Botnet detection and removal

Conclusion

• CIDNs use collective information from participants to achieve higher intrusion detection accuracy

• A taxonomy to categorize different CIDNs– Four features are proposed for the taxonomy

• The future challenges include how to encourage participation and provide privacy for data-sharing among IDSs