Chapter 9: Cooperation in Intrusion Detection Networks - PowerPoint PPT Presentation

Loading...

PPT – Chapter 9: Cooperation in Intrusion Detection Networks PowerPoint presentation | free to view - id: 7340d4-NDRiN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Chapter 9: Cooperation in Intrusion Detection Networks

Description:

Title: Cooperation in Intrusion Detection Networks Author: Jun Fung Last modified by: WileyService Created Date: 10/2/2010 6:26:45 PM Document presentation format – PowerPoint PPT presentation

Number of Views:77
Avg rating:3.0/5.0
Slides: 21
Provided by: JunF150
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Chapter 9: Cooperation in Intrusion Detection Networks


1
Chapter 9 Cooperation in Intrusion Detection
Networks
  • Authors Carol Fung and Raouf Boutaba
  • Editors M. S. Obaidat and S. Misra
  • Jon Wiley Sons publishing

2
Network Intrusions
  • Unwanted traffic or computer activities that may
    be malicious and destructive
  • Denial of Service
  • Identity theft
  • Spam mails
  • Single-host intrusion
  • Cooperative attacks

3
Intrusion Detection Systems
  • Designed to monitor network traffic or computer
    activities and alert administrators for
    suspicious intrusions
  • Signature-based and anomaly-based
  • Host-based and network-based

4
Figure 1. An example of host-based IDS and
Network-based IDS
5
Cooperative IDS
  • IDSs use collective information from others to
    make more accurate intrusion detection
  • Several features of CIDN
  • Topology
  • Cooperation Scope
  • Specialization
  • Cooperation Technology

6
Cooperation Technology
  • Data Correlation
  • Trust Management
  • Load balance

7
IDN Topology Scope Specialization Technology and algorithm
Indra Distributed Local Worm -
DOMINO Decentralized Hybrid Worm -
DShield Centralized Global General Data Correlation
NetShield Distributed Global Worm Load-balancing
Gossip Distributed Local Worm -
Worminator - Global Worm -
ABDIAS Decentralized Hybrid General Trust Management
CRIM Centralized Local General Data Correlation
HBCIDS Distributed Global General Trust Management
ALPACAS Distributed Global Spam Load-balancing
CDDHT Decentralized Local General -
SmartScreen Centralized Global Phishing -
FFCIDN Centralized Global Botnet Data correlation
Table 1. Classification of Cooperative Intrusion
Detection Networks
8
Indra
  • A early proposal on Cooperative intrusion
    detection
  • Cooperation nodes take proactive approach
    to share black list with others

9
DOMINO
  • Monitor internet outbreaks for large-scale
    networks
  • Nodes are organized hierarchically
  • Different roles are assigned to nodes

10
Dshield
  • A centralized firewall log correlation system
  • Data is from the SANS internet storm center
  • Not a real time analysis system
  • Data payload is removed for privacy concern

11
NetShield
  • A fully distributed system to monitor epidemic
    worm and DoS attacks
  • The DHT Chord P2P system is used to load-balance
    the participating nodes
  • Alarm is triggered if the local prevalence of a
    content block exceeds a threshold
  • Only works on worms with fixed attacking traces,
    not work on polymorphic worms

12
Gossip-based Intrusion Detection
  • A local epidemic worm monitoring system
  • A local detector raises a alert when the number
    of newly created connections exceeds a threshold
  • A Bayesian network analysis system is used to
    correlate and aggregate alerts

13
ABDIAS
  • Agent-based Distributed alert system
  • IDSs are grouped into communities
  • Intra-community/inter-community communication
  • A Bayesian network system is used to make
    decisions

14
CRIM
  • A centralized system to collect alerts from
    participating IDSs
  • Alert correlation rules are generated by humans
    offline
  • New rules are used to detect global-wide
    intrusions

15
Host-based CIDS
  • A cooperative intrusion system where IDSs share
    detection experience with others
  • Alerts from one host is sent to neighbors for
    analysis
  • Feedback is aggregated based on the
    trust-worthiness of the neighbor
  • Trust values are updated after every interaction
    experience

16
ALPACAS
  • A cooperative spam filtering system
  • Preserve the privacy of the email owners
  • A p2p system is used for the scalability of the
    system
  • Emails are divided into feature trunks and
    digested into feature finger prints

17
SmartScreen
  • Phsihing URL filtering system in IE8
  • Allow users to report phishing websites
  • A centralized decision system to analyze
    collected data and make generate the blacklist
  • Users browsing a phishing site will be warned by
    SmartScreen

18
FFCIDN
  • A collaborative intrusion detection network to
    detect fastflux botnet
  • Observe the number of unique IP addresses a
    domain has.
  • A threshold is derived to decide whether the
    domain is a fastflux phishing domain

19
Open Challenges
  • Privacy of the exchanged information
  • Incentive of IDS cooperation
  • Botnet detection and removal

20
Conclusion
  • CIDNs use collective information from
    participants to achieve higher intrusion
    detection accuracy
  • A taxonomy to categorize different CIDNs
  • Four features are proposed for the taxonomy
  • The future challenges include how to encourage
    participation and provide privacy for
    data-sharing among IDSs
About PowerShow.com