Community-Based Collaborative Intrusion Detection
The IT infrastructure of today needs to be ready to defend against massive cyber-attacks which often originate from distributed attackers such as Botnets. Most Intrusion Detection Systems (IDSs), nonetheless, are still working in isolation and cannot effectively detect distributed attacks. Collaborative IDSs (CIDSs) have been proposed as a collaborative defense against the ever more sophisticated distributed attacks. However, collaboration by exchanging suspicious alarms among all interconnected sensors in CIDSs does not scale with the size of the IT infrastructure; hence, detection performance and communication overhead, required for collaboration, must be traded off. We propose to partition the set of considered sensors into subsets, or communities, as a lever for this trade off. The novelty of our approach is the application of ensemble based learning, a machine learning paradigm suitable for distributed intrusion detection. In our approach, community members exchange data features used to train models of normality, not bare alarms, thereby further reducing the communication overhead of our approach. Our experiments show that we can achieve detection rates close to those based on global information exchange with smaller subsets of collaborating sensors.
KeywordsIntrusion Detection Detection Accuracy Communication Overhead Anomaly Detection Intrusion Detection System
Unable to display preview. Download preview PDF.
- 8.Mahoney, M., Chan, P.: Learning rules for anomaly detection of hostile network traffic. In: IEEE International Conference on Data Mining. IEEE Comput. Soc, 2003, pp. 601–604 (2003)Google Scholar
- 10.Kannadiga, P., Zulkernine, M.: DIDMA : a distributed intrusion detection system using mobile agents. In: International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, pp. 238–245. IEEE (2005)Google Scholar
- 11.Zhang, Z., Li, J., Manikopoulos, C.N., Jorgenson, J., Ucles, J.: HIDE : a hierarchical network intrusion detection system using statistical preprocessing and neural network classification. In: IEEE Workshop on Information Assurance and Security, pp. 85–90. IEEE (2001)Google Scholar
- 13.Locasto, M.E., Parekh, J.J., Keromytis, A.D., Stolfo, S.J.: Towards collaborative security and P2P intrusion detection. In: IEEE Workshop on Information Assurance and Security, pp. 333–339. IEEE (2005)Google Scholar
- 14.Duma, C., Karresand, M., Shahmehri, N., Caronni, G.: A trust-aware, P2P-based overlay for intrusion detection. In: International Conference on Database and Expert Systems Applications (DEXA 2006), pp. 692–697. IEEE (2006)Google Scholar
- 16.Fontugne, R., Borgnat, P., Abry, P., Fukuda, K.: MAWILab: combining diverseanomaly detectors for automated anomaly labeling and performance benchmarking. In: 6th International Conference on - Co-NEXT 2010, pp. 1–12. ACM (2010)Google Scholar
- 17.Sangster, B., Cook, T., Fanelli, R., Dean, E., Adams, W.J. Morrell, C., Conti, G.: Toward instrumenting network warfare competitions to generate labeled datasets. In: USENIX Security’s Workshop on Cyber Security Experimentation and Test (CSET) (2009)Google Scholar