Chapter 9 cooperation in intrusion detection networks
Sponsored Links
This presentation is the property of its rightful owner.
1 / 20

Chapter 9: Cooperation in Intrusion Detection Networks PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Chapter 9: Cooperation in Intrusion Detection Networks. Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing. Network Intrusions. Unwanted traffic or computer activities that may be malicious and destructive Denial of Service Identity theft

Download Presentation

Chapter 9: Cooperation in Intrusion Detection Networks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Chapter 9: Cooperation in Intrusion Detection Networks

Authors: Carol Fung and Raouf Boutaba

Editors: M. S. Obaidat and S. Misra

Jon Wiley & Sons publishing

Network Intrusions

  • Unwanted traffic or computer activities that may be malicious and destructive

    • Denial of Service

    • Identity theft

    • Spam mails

  • Single-host intrusion

  • Cooperative attacks

Intrusion Detection Systems

  • Designed to monitor network traffic or computer activities and alert administrators for suspicious intrusions

    • Signature-based and anomaly-based

    • Host-based and network-based

Figure 1. An example of host-based IDS and Network-based IDS

Cooperative IDS

  • IDSs use collective information from others to make more accurate intrusion detection

  • Several features of CIDN

    • Topology

    • Cooperation Scope

    • Specialization

    • Cooperation Technology

Cooperation Technology

  • Data Correlation

  • Trust Management

  • Load balance

Table 1. Classification of Cooperative Intrusion Detection Networks


  • A early proposal on Cooperative intrusion detection

  • Cooperation nodes take proactive approach to share black list with others


  • Monitor internet outbreaks for large-scale networks

  • Nodes are organized hierarchically

  • Different roles are assigned to nodes


  • A centralized firewall log correlation system

  • Data is from the SANS internet storm center

  • Not a real time analysis system

  • Data payload is removed for privacy concern


  • A fully distributed system to monitor epidemic worm and DoS attacks

  • The DHT Chord P2P system is used to load-balance the participating nodes

  • Alarm is triggered if the local prevalence of a content block exceeds a threshold

  • Only works on worms with fixed attacking traces, not work on polymorphic worms

Gossip-based Intrusion Detection

  • A local epidemic worm monitoring system

  • A local detector raises a alert when the number of newly created connections exceeds a threshold

  • A Bayesian network analysis system is used to correlate and aggregate alerts


  • Agent-based Distributed alert system

  • IDSs are grouped into communities

  • Intra-community/inter-community communication

  • A Bayesian network system is used to make decisions


  • A centralized system to collect alerts from participating IDSs

  • Alert correlation rules are generated by humans offline

  • New rules are used to detect global-wide intrusions

Host-based CIDS

  • A cooperative intrusion system where IDSs share detection experience with others

  • Alerts from one host is sent to neighbors for analysis

  • Feedback is aggregated based on the trust-worthiness of the neighbor

  • Trust values are updated after every interaction experience


  • A cooperative spam filtering system

  • Preserve the privacy of the email owners

  • A p2p system is used for the scalability of the system

  • Emails are divided into feature trunks and digested into feature finger prints


  • Phsihing URL filtering system in IE8

  • Allow users to report phishing websites

  • A centralized decision system to analyze collected data and make generate the blacklist

  • Users browsing a phishing site will be warned by SmartScreen


  • A collaborative intrusion detection network to detect fastflux botnet

  • Observe the number of unique IP addresses a domain has.

  • A threshold is derived to decide whether the domain is a fastflux phishing domain

Open Challenges

  • Privacy of the exchanged information

  • Incentive of IDS cooperation

  • Botnet detection and removal


  • CIDNs use collective information from participants to achieve higher intrusion detection accuracy

  • A taxonomy to categorize different CIDNs

    • Four features are proposed for the taxonomy

  • The future challenges include how to encourage participation and provide privacy for data-sharing among IDSs

  • Login