Chapter 9 cooperation in intrusion detection networks
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Chapter 9: Cooperation in Intrusion Detection Networks PowerPoint PPT Presentation


  • 56 Views
  • Uploaded on
  • Presentation posted in: General

Chapter 9: Cooperation in Intrusion Detection Networks. Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing. Network Intrusions. Unwanted traffic or computer activities that may be malicious and destructive Denial of Service Identity theft

Download Presentation

Chapter 9: Cooperation in Intrusion Detection Networks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Chapter 9 cooperation in intrusion detection networks

Chapter 9: Cooperation in Intrusion Detection Networks

Authors: Carol Fung and Raouf Boutaba

Editors: M. S. Obaidat and S. Misra

Jon Wiley & Sons publishing


Network intrusions

Network Intrusions

  • Unwanted traffic or computer activities that may be malicious and destructive

    • Denial of Service

    • Identity theft

    • Spam mails

  • Single-host intrusion

  • Cooperative attacks


Intrusion detection systems

Intrusion Detection Systems

  • Designed to monitor network traffic or computer activities and alert administrators for suspicious intrusions

    • Signature-based and anomaly-based

    • Host-based and network-based


Chapter 9 cooperation in intrusion detection networks

Figure 1. An example of host-based IDS and Network-based IDS


Cooperative ids

Cooperative IDS

  • IDSs use collective information from others to make more accurate intrusion detection

  • Several features of CIDN

    • Topology

    • Cooperation Scope

    • Specialization

    • Cooperation Technology


Cooperation technology

Cooperation Technology

  • Data Correlation

  • Trust Management

  • Load balance


Chapter 9 cooperation in intrusion detection networks

Table 1. Classification of Cooperative Intrusion Detection Networks


Indra

Indra

  • A early proposal on Cooperative intrusion detection

  • Cooperation nodes take proactive approach to share black list with others


Domino

DOMINO

  • Monitor internet outbreaks for large-scale networks

  • Nodes are organized hierarchically

  • Different roles are assigned to nodes


Dshield

Dshield

  • A centralized firewall log correlation system

  • Data is from the SANS internet storm center

  • Not a real time analysis system

  • Data payload is removed for privacy concern


Netshield

NetShield

  • A fully distributed system to monitor epidemic worm and DoS attacks

  • The DHT Chord P2P system is used to load-balance the participating nodes

  • Alarm is triggered if the local prevalence of a content block exceeds a threshold

  • Only works on worms with fixed attacking traces, not work on polymorphic worms


Gossip based intrusion detection

Gossip-based Intrusion Detection

  • A local epidemic worm monitoring system

  • A local detector raises a alert when the number of newly created connections exceeds a threshold

  • A Bayesian network analysis system is used to correlate and aggregate alerts


Abdias

ABDIAS

  • Agent-based Distributed alert system

  • IDSs are grouped into communities

  • Intra-community/inter-community communication

  • A Bayesian network system is used to make decisions


Chapter 9 cooperation in intrusion detection networks

CRIM

  • A centralized system to collect alerts from participating IDSs

  • Alert correlation rules are generated by humans offline

  • New rules are used to detect global-wide intrusions


Host based cids

Host-based CIDS

  • A cooperative intrusion system where IDSs share detection experience with others

  • Alerts from one host is sent to neighbors for analysis

  • Feedback is aggregated based on the trust-worthiness of the neighbor

  • Trust values are updated after every interaction experience


Alpacas

ALPACAS

  • A cooperative spam filtering system

  • Preserve the privacy of the email owners

  • A p2p system is used for the scalability of the system

  • Emails are divided into feature trunks and digested into feature finger prints


Smartscreen

SmartScreen

  • Phsihing URL filtering system in IE8

  • Allow users to report phishing websites

  • A centralized decision system to analyze collected data and make generate the blacklist

  • Users browsing a phishing site will be warned by SmartScreen


Ffcidn

FFCIDN

  • A collaborative intrusion detection network to detect fastflux botnet

  • Observe the number of unique IP addresses a domain has.

  • A threshold is derived to decide whether the domain is a fastflux phishing domain


Open challenges

Open Challenges

  • Privacy of the exchanged information

  • Incentive of IDS cooperation

  • Botnet detection and removal


Conclusion

Conclusion

  • CIDNs use collective information from participants to achieve higher intrusion detection accuracy

  • A taxonomy to categorize different CIDNs

    • Four features are proposed for the taxonomy

  • The future challenges include how to encourage participation and provide privacy for data-sharing among IDSs


  • Login