Skip to main content
SpringerLink
Log in

RepCIDN: A Reputation-based Collaborative Intrusion Detection Network to Lessen the Impact of Malicious Alarms

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

Distributed and coordinated attacks in computer networks are causing considerable economic losses worldwide in recent years. This is mainly due to the transition of attackers’ operational patterns towards a more sophisticated and more global behavior. This fact is leading current intrusion detection systems to be more likely to generate false alarms. In this context, this paper describes the design of a collaborative intrusion detection network (CIDN) that is capable of building and sharing collective knowledge about isolated alarms in order to efficiently and accurately detect distributed attacks. It has been also strengthened with a reputation mechanism aimed to improve the detection coverage by dropping false or bogus alarms that arise from malicious or misbehaving nodes. This model will enable a CIDN to detect malicious behaviors according to the trustworthiness of the alarm issuers, calculated from previous interactions with the system. Experimental results will finally demonstrate how entities are gradually isolated as their behavior worsens throughout the time.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Teng, S., Zhang, W., Fu, X., Tan, W.: Cooperative intrusion detection model based on scenario. In: CSCWD’07: Proceedings of the 11th International Conference on Computer Supported Cooperative Work in Design, pp. 876–881 (April 2007)

  2. Bass, T.: Intrusion detection systems and multisensor data fusion. Commun. ACM 43, 99–105 (2000)

    Article  Google Scholar 

  3. Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29, 124–140 (2010)

    Article  Google Scholar 

  4. Huang, Y.-A., Lee, W.: A cooperative intrusion detection system for ad hoc networks. In: SASN’03: Proceedings of the 1st ACM Workshop on Security of Ad hoc and Sensor Networks, pp. 135–147 (October 2003)

  5. Wu, Y.-S., Foo, B., Mei, Y., Bagchi, S.: Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS. In: ACSAC’03: Proceedings of the 19th Annual Computer Security Applications Conference, pp. 234–244 (December 2003)

  6. Locasto, M.E., Parekh, J.J., Stolfo, S., Keromytis, A.D., Malkin, T., Misra, V.: Collaborative distributed intrusion detection. Technical Report CUCS-012-04, Department of Computer Science, Columbia University (2004)

  7. Tjhai, G.C., Papadaki, M., Furnell, S., Clarke, N.L.: Investigating the problem of IDS false alarms: an experimental study using Snort. In: SEC’08: Proceedings of the IFIP TC-11 23rd International Information Security Conference, pp. 253–267 (September 2008)

  8. Sourcefire Inc. Snort: An open source network intrusion prevention and detection system. http://www.snort.org (2010)

  9. Zaman, S.: A collaborative architecture for distributed intrusion detection system based on lightweight modules. PhD thesis, Electrical and Computer Engineering, University of Waterloo, Canada (July 2009)

  10. Maurer, J.: Internet worms: walking on unstable ground. SANS Institute, GIAC Security Essentials (June 2003)

  11. Ganeriwal, S., Balzano, L.K., Srivastava, M.B.: Reputation-based framework for high integrity sensor networks. ACM Trans. Sensor Netw. 4(15):1–15:37 (2008)

    Google Scholar 

  12. Gómez Mármol, F., Martínez Pérez, G.: Providing trust in wireless sensor networks using a bio-inspired technique. Telecommun. Syst. 46:163–180 (2010)

  13. Kamvar, S.D., Schlosser, M.T., Garcia-Molina, H.: The EigenTrust algorithm for reputation management in P2P networks. In: WWW’03: Proceedings of the 12th International Conference on World Wide Web, pp. 640–651 (May 2003)

  14. Mekouar, L., Iraqi, Y., Boutaba, R.: Reputation-based trust management in peer-to-peer systems: Taxonomy and anatomy. In: Handbook of Peer-to-Peer Networking, pp. 689–732 (2010)

  15. Garcia-Alfaro, J., Jaeger, M.A., Mühl, G., Barrera, I., Borrell, J.: Distributed exchange of alerts for the detection of coordinated attacks. In: CNSR’08: Proceedings of the Communication Networks and Services Research Conference, pp. 96–103 (May 2008)

  16. Lua, E.K., Crowcroft, J., Pias, M., Sharma, R., Lim, S.: A survey and comparison of peer-to-peer overlay network schemes. IEEE Commun. Surv. Tutor. 7, 72–93 (2005)

    Article  Google Scholar 

  17. Mihailovic, A.: Deliverable D3.1: State of the art and outlooks for dynamic protocol configuration and re-engineering future Internet operations. The Self-NET EU-IST Project (Self-Management of Cognitive Future InterNET Elements) (January 2009)

  18. Gómez Mármol, F., Martínez Pérez, G.: Security threats scenarios in trust and reputation models for distributed systems. Comput. Secur. 28, 545–556 (2009)

    Article  Google Scholar 

  19. Douceur, J.: The Sybil attack. In: IPTPS’02: Proceedings of the 1st International Workshop on Peer-to-Peer Systems, volume 2429 of Lecture Notes in Computer Science, pp. 251–260 (March 2002)

  20. Gómez Mármol, F., Girao, J., Martínez Pérez, G.: TRIMS, a privacy-aware trust and reputation model for identity management systems. Comput. Netw. 54, 2899–2912 (2010)

    Article  Google Scholar 

  21. Debar, H., Curry, D.A., Feinstein, B.S.: The Intrusion Detection Message Exchange Format (IDMEF). IETF Request for Comments 4765 (March 2007)

  22. Xu, D., Ning, P.: Correlation analysis of intrusion alerts. In: Intrusion Detection Systems, volume 38 of Advances in Information Security, pp. 65–92 (January 2008)

  23. Mutly, S., Yilmaz, G.: A distributed cooperative trust based intrusion detection framework for MANETs. In: ICNS’11: Proceedings of the Seventh International Conference on Networking and Services, pp. 292–298 (May 2011)

  24. Xiong, L., Liu, L.: PeerTrust: supporting reputation-based trust for peer-to-peer electronic communities. IEEE Trans. Knowl. Data Eng. 16, 843–857 (2004)

    Article  Google Scholar 

  25. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, T.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. IETF Request for Comments 5280 (May 2008)

  26. Trend Micro Inc. OSSEC: An open source security, host-based intrusion detection system. http://www.ossec.net (2010)

  27. Yusof, R., Selamat, S.R., Sahib, S.: Intrusion alert correlation technique analysis for heterogeneous log. Int. J. Comput. Sci. Netw. Secur. 8, 132–138 (2008)

    Google Scholar 

  28. Martínez Molina, J., Hernández Ruiz, M.A., Gil Pérez, M., Martínez Pérez, G., Gómez Skarmeta, A.F.: Event-driven architecture based on patterns for detecting complex attacks. Int. J. Crit. Comput. Based Syst. 1, 283–309 (2010)

    Article  Google Scholar 

  29. Wierzbicki, A., Kalinski, J., Kruszona, T.: Common Intrusion Detection Signatures Standard (CIDSS). IETF Internet Draft 5 (September 2008)

  30. Gulbrandsen, A., Vixie, P., Esibov, L.: A DNS RR for specifying the location of services (DNS SRV). IETF Request for Comments 2782 (February 2000)

  31. Park, H., Yang, J., Park, J., Kang, S.G., Choi, J.K.: A survey on peer-to-peer overlay network schemes. In: ICACT’08: Proceedings of the 10th International Conference on Advanced Communication Technology, pp. 986–988 (February 2008)

  32. Sit, E.: Storing and managing data in a distributed hash table. PhD thesis, Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science (June 2008)

  33. Adams, C., Lloyd, S.: Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment Considerations. Macmillan Technical Publishing, Indianapolis, IN (1999)

    Google Scholar 

  34. López Millán, G., Gil Pérez, M., Martínez Pérez, G., Gómez Skarmeta, A.F.: PKI-based trust management in inter-domain scenarios. Comput. Secur. 29, 278–290 (2010)

    Article  Google Scholar 

  35. Wu, S.X., Banzhaf, W.: The use of computational intelligence in intrusion detection systems: a review. Appl. Soft Comput. 10, 1–35 (2010)

    Article  MATH  Google Scholar 

  36. Yu, J., Ramana Reddy, Y.V., Selliah, S., Reddy, S., Bharadwaj, V., Kankanahalli, S.: TRINETR: an architecture for collaborative intrusion detection and knowledge-based alert evaluation. Adv. Eng. Inform. 19, 93–101 (2005)

    Article  Google Scholar 

  37. Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: SECPRI’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 202–215 (May 2002)

  38. Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: A comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secure Comput. 1, 146–169 (2004)

    Article  Google Scholar 

  39. Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the DOMINO overlay system. In: NDSS’04: Proceedings of Network and Distributed System Security Symposium (February 2004)

  40. Coull, S.E., Szymanski, B.K.: On the development of an internetwork-centric defense for scanning worms. Comput. Secur. 28, 637–647 (2009)

    Article  Google Scholar 

  41. Jøsang, A., Ismail, R., Boyd, C.: A survey of trust and reputation systems for online service provision. Decis. Support Syst. 43, 618–644 (2007)

    Article  Google Scholar 

  42. Gómez Mármol, F., Martínez Pérez, G.: Towards pre-standardization of trust and reputation models for distributed and heterogeneous systems. Comput. Stand. Interfaces 32, 185–196 (2010)

    Article  Google Scholar 

  43. Boukerche, A., Xu, L., El-Khatib, K.: Trust-based security for wireless ad hoc and sensor networks. Comput. Commun. 30, 2413–2427 (2007)

    Article  Google Scholar 

  44. Zhang, Z., Ho, P.-H., Nat-Abdesselam, F.: RADAR: a reputation-driven anomaly detection system for wireless mesh networks. Wirel. Netw. 16, 2221–2236 (2010)

    Article  Google Scholar 

  45. De Rango, F., Marano, S.: Trust-based SAODV protocol with intrusion detection and incentive cooperation in MANET. In: IWCMC’09: Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing, pp. 1443–1448 (June 2009)

  46. Omar, M., Challal, Y., Bouabdallah, A.: Reliable and fully distributed trust model for mobile ad hoc networks. Comput. Secur. 28, 199–214 (2009)

    Article  Google Scholar 

  47. Sabater, J., Sierra, C.: REGRET: reputation in gregarious societies. In: AGENTS’01: Proceedings of the Fifth International Conference on Autonomous Agents, pp. 194–195 (June 2001)

  48. Songsiri, S.: MTrust: a reputation-based trust model for a mobile agent system. In: ATC’06: Proceedings of the Third International Conference on Autonomic and Trusted Computing, volume 4158 of Lecture Notes in Computer Science, pp. 374–385 (September 2006)

  49. Breuer, J., Held, A., Leinmller, T., Delgrossi, L.: Trust issues for vehicular ad hoc networks. In: VETECS’08: Proceedings of the 67th IEEE Vehicular Technology Conference, pp. 2800–2804 (May 2008)

  50. Raya, M., Papadimitratos, P., Gligor, V., Hubaux, J.-P.: On data-centric trust establishment in ephemeral ad hoc networks. In INFOCOM’08: Proceedings of the 27th IEEE Conference on Computer Communications, pp. 1238–1246 (April 2008)

  51. Fung, C., Zhang, J., Aib, I., Boutaba, R.: Trust management and admission control for Host -based Collaborative Intrusion Detection. J. Netw. Syst. Manage. 19, 257–277 (2011)

    Article  Google Scholar 

Download references

Acknowledgments

This paper has been partially funded by the project TIN2011-28287-C02-02 RECLAMO (Virtual and Collaborative Honeynets based on Trust Management and Autonomous Systems applied to Intrusion Management) and the project TIN2011-27543-C03-02 Walkie-Talkie (Vehicular Communication Systems to Enable Safer, Smarter, and Greener Transportation), both funded by the Ministry of Science and Innovation of the Spanish Government, and the SEMIRAMIS EU-IST project (Secure Management of Information across multiple Stakeholders), with code CIP-ICT PSP-2009-3, within the EC Seventh Framework Programme (FP7). Thanks also to the Funding Program for Research Groups of Excellence granted as well by the Séneca Foundation with code 04552/GERM/06.

Author information

Authors and Affiliations

  1. Departamento de Ingeniería de la Información y las Comunicaciones, University of Murcia, 30071, Murcia, Spain

    Manuel Gil Pérez, Gregorio Martínez Pérez & Antonio F. Skarmeta Gómez

  2. NEC Europe Ltd., Kurfürsten-Anlage 36, 69115, Heidelberg, Germany

    Félix Gómez Mármol

Authors
  1. Manuel Gil Pérez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Félix Gómez Mármol
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gregorio Martínez Pérez
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Antonio F. Skarmeta Gómez
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Manuel Gil Pérez.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Gil Pérez, M., Gómez Mármol, F., Martínez Pérez, G. et al. RepCIDN: A Reputation-based Collaborative Intrusion Detection Network to Lessen the Impact of Malicious Alarms. J Netw Syst Manage 21, 128–167 (2013). https://doi.org/10.1007/s10922-012-9230-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-012-9230-8

Keywords

Search

Navigation