Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol...
Transcript of Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol...
![Page 1: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/1.jpg)
Trust Management for Host-
based Collaborative
Intrusion Detection
Carol Fung, Olga Baysal, Jie Zhang, Issam Aib and Raouf Boutaba
David R. Cheriton School of Computer Science
University of Waterloo
![Page 2: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/2.jpg)
Carol Fung 2
Outline
• Introduction
• Motivation
• Trust Model
• Robustness
• Attacks Prevention
• Conclusions
![Page 3: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/3.jpg)
Carol Fung 3
Introduction
• The worldwide impact of malicious intrusions is
estimated to be over $10 Billion annually
• Intrusions include viruses/worms, spyware,
spam, DoS, unauthorized login.
• Traditional isolated IDSes are inefficient in
detection unknown intrusions.
![Page 4: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/4.jpg)
Carol Fung 4
Benefits of IDS Collaboration
• Accurate alert ranking
• Effective intrusion detection and
prevention
• Worm spreading warning
![Page 5: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/5.jpg)
Carol Fung 5
Related Work
• Current collaborative architectures have strong assumptions on the trustworthiness (all IDSes are trusted and faithfully report intrusion events) [1,2,3,4]
• Used trust models are naïve [5, 6]
• Many efficient trust management models in other areas such as e-market and P2P networks [7,8,9]
![Page 6: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/6.jpg)
Carol Fung 6
Contribution
1. Build a trust management model for IDS
collaboration
2. Propose a framework for efficient
collaboration of IDSes
![Page 7: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/7.jpg)
Carol Fung 7
Scenario
Waterloo alliance
Kitchener alliance
Alice
Carol
Lynne
Paul
Intrusion
![Page 8: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/8.jpg)
Carol Fung 8
FrameworkThree components:
• Joining the network
• Trust establishment
• Consultation
Bob
Alice
Paul
KenCarol
JuliaRequest to Join
Accept + acquaintance list
Bob
CA
RegisterPublic key
+ Private key
Verification
![Page 9: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/9.jpg)
Carol Fung 9
FrameworkThree components:
• Join the network
• Trust establishment
• Test phase
• Consultation
Alice
Paul
Ken
Carol
Julia
Bob
What is the risk of
this alert?
<Alert description >
(Answer: High)
high
high
high
high
Low
Ken is
not
reliable
test1
test1
test1
test1
test1
0.1
0.9
0.9
1.0
0.7
![Page 10: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/10.jpg)
Carol Fung 10
FrameworkThree components:
• Join the network
• Trust establishment
• Consultation
Alice
Paul
Ken
Carol
Julia
Bob
What is the risk of
this alert?
<Alert description…>
(Real Case)
high
Low
Low
Low
Low
Should
be low
risk
1.0
0.1
0.9
0.90.7
Request
Request
Request
Request
Request
![Page 11: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/11.jpg)
Carol Fung 11
Trust EstablishmentTrust level is built on history
• Satisfactory level of past
feedbacks
• Helpfulness
333
2332
2
λλ
λλ
++
++=TrustLevel
FeedbackExpected
Answer
Satisfaction
Level
High High 3
Medium High 1
Low High 0
Paul’s History
Feedback1:
2
Feedback2:
3
Feedback3:
3
333
233
++
++=TrustLevel
Naive!
![Page 12: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/12.jpg)
Carol Fung 12
Integration of Don’t KnowsReply “don’t know” is allowed
• Trust value will approach to the level of stranger
Fully trustable
Not trustable
Stranger
)1(11
mstranger
mwofinal
xTxTT +−=
Percentage of don’t knows100%
0.5
0.4
20%
![Page 13: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/13.jpg)
Carol Fung 13
Feedback Aggregation
Depends on:
• Peers’ trust values
• Trust weight
• Peer’s location
• Proximity weight
![Page 14: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/14.jpg)
Carol Fung 14
Feedback Aggregation
• Weighted average
• Threshold
Name Trust Proximity Ranking
Alice 1 1 (Waterloo) High(3)
Carol 0.9 1 (Waterloo) High(3)
Julia 0.9 0.9 (Toronto) High(3)
Ken 0.1 0.7 (US) Low(1)
Paul 0.7 0.7 (US) Medium(2)
85.2
7.07.09.09.019.011
7.07.029.09.0319.03113
=
⋅+⋅+⋅+⋅
⋅⋅+⋅⋅+⋅⋅+⋅⋅=ngfinalRanki
High Risk!
![Page 15: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/15.jpg)
Carol Fung 15
Threat Model
• Sybil Attack
• New Comer Attack
• Identity Cloning Attack
• Betrayal Attack
• Collusion Attack
![Page 16: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/16.jpg)
Carol Fung 16
Sybil Attack
Dummy
Dummy
Dummy
Dummy
One IP
address
per ID!
![Page 17: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/17.jpg)
Carol Fung 17
New Comer Attack
New comer (0.2)
Considered
Considered
Considered
Considered
Considered
Considered
Ignored
![Page 18: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/18.jpg)
Carol Fung 18
Identity Cloning AttackI am Alice
Trusted
Trusted
TrustedTrusted
Trusted
Trusted
(Sessionkey+Signature)BobPubKey
This session key is not from Alice
![Page 19: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/19.jpg)
Carol Fung 19
Betrayal AttackTrustedMalicious
Alice 1.0
Carol 1.0
Lynne 0.9
Paul 0.7
Carol 1.0
Lynne 0.9
Paul 0.7
Alice 0.3
Trust is easy to lose and hard to gain
![Page 20: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/20.jpg)
Carol Fung 20
Collusion AttackTrusted Trusted
Trusted
Trusted
Trusted
Trusted
Trusted
Inconsistent
alert ranking!
Request for
alert ranking
Test message!
Malicious
peers are
uncovered!
![Page 21: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/21.jpg)
Carol Fung 21
What’s Next?
• Simulation design and implementation
• Design more sophisticated trust
management model
• Alert categorization
• Expertise in intrusion detection
![Page 22: Trust Management for Host- based Collaborative Intrusion ... · Carol 1.0 Lynne 0.9 Paul 0.7 Carol 1.0 Lynne 0.9 Paul 0.7 Alice 0.3 Trust is easy to lose and hard to gain. Carol Fung](https://reader033.fdocuments.us/reader033/viewer/2022060704/6070ed13489d2e067c6e3b15/html5/thumbnails/22.jpg)
Carol Fung 22
Conclusion
• Proposed a trust-based IDS collaboration model
• More accurate intrusion detection
• Robust to several attacks
• Novel ideas
• Use of test messages in trust establishment
• Integration of “don’t knows” into trust value
• Introduction of proximity
• Aggregation threshold