PMFA: Toward Passive Message Fingerprint Attacks on Challenge-Based Collaborative Intrusion Detection Networks

  • Wenjuan Li
  • Weizhi MengEmail author
  • Lam-For Kwok
  • Horace Ho Shing Ip
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9955)


To enhance the performance of single intrusion detection systems (IDSs), collaborative intrusion detection networks (CIDNs) have been developed, which enable a set of IDS nodes to communicate with each other. In such a distributed network, insider attacks like collusion attacks are the main threat. In the literature, challenge-based trust mechanisms have been established to identify malicious nodes by evaluating the satisfaction between challenges and responses. However, we find that such mechanisms rely on two major assumptions, which may result in a weak threat model and make CIDNs still vulnerable to advanced insider attacks in practical deployment. In this paper, we design a novel type of collusion attack, called passive message fingerprint attack (PMFA), which can collect messages and identify normal requests in a passive way. In the evaluation, we explore the attack performance under both simulated and real network environments. Experimental results indicate that under our attack, malicious nodes can send malicious responses to normal requests while maintaining their trust values.


Intrusion Detection System Collaborative network Insider threats Collusion attacks Challenge-based trust mechanism 



We would like to thank all anonymous reviewers for their helpful comments in improving the paper.


  1. 1.
    Chun, B., Lee, J., Weatherspoon, H., Chun, B.N.: Netbait: a distributed worm detection service. Technical report IRB-TR-03-033, Intel Research Berkeley (2003)Google Scholar
  2. 2.
    Douceur, J.R.: The sybil attack. In: Druschel, P., Kaashoek, F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 251–260. Springer, Heidelberg (2002). doi: 10.1007/3-540-45748-8_24 CrossRefGoogle Scholar
  3. 3.
    Duma, C., Karresand, M., Shahmehri, N., Caronni, G.: A trust-aware, P2P-based overlay for intrusion detection. In: DEXA Workshop, pp. 692–697 (2006)Google Scholar
  4. 4.
    Fung, C.J., Baysal, O., Zhang, J., Aib, I., Boutaba, R.: Trust management for host-based collaborative intrusion detection. In: De Turck, F., Kellerer, W., Kormentzas, G. (eds.) DSOM 2008. LNCS, vol. 5273, pp. 109–122. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Fung, C.J., Zhang, J., Aib, I., Boutaba, R.: Robust and scalable trust management for collaborative intrusion detection. In: Proceedings of the 11th IFIP/IEEE International Conference on Symposium on Integrated Network Management (IM), pp. 33–40 (2009)Google Scholar
  6. 6.
    Fung, C.J., Zhu, Q., Boutaba, R., Basar, T.: Bayesian decision aggregation in collaborative intrusion detection networks. In: NOMS, pp. 349–356 (2010)Google Scholar
  7. 7.
    Fung, C.J., Boutaba, R.: Design and management of collaborative intrusion detection networks. In: Proceedings of the 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 955–961 (2013)Google Scholar
  8. 8.
    Gong, F.: Next Generation Intrusion Detection Systems (IDS). McAfee Network Security Technologies Group (2003)Google Scholar
  9. 9.
    Huebsch, R., Chun, B.N., Hellerstein, J.M., Loo, B.T., Maniatis, P., Roscoe, T., Shenker, S., Stoica, I., Yumerefendi, A.R.: The architecture of PIER: an internet-scale query processor. In: Proceedings of the 2005 Conference on Innovative Data Systems Research (CIDR), pp. 28–43 (2005)Google Scholar
  10. 10.
    Li, Z., Chen, Y., Beach, A.: Towards scalable and Robust distributed intrusion alert fusion with good load balancing. In: Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense (LSAD), pp. 115–122 (2006)Google Scholar
  11. 11.
    Li, W., Meng, Y., Kwok, L.-F.: Enhancing trust evaluation using intrusion sensitivity in collaborative intrusion detection networks: feasibility and challenges. In: Proceedings of the 9th International Conference on Computational Intelligence and Security (CIS), pp. 518–522. IEEE (2013)Google Scholar
  12. 12.
    Li, W., Meng, W., Kwok, L.-F.: Design of intrusion sensitivity-based trust management model for collaborative intrusion detection networks. In: Zhou, J., Gal-Oz, N., Zhang, J., Gudes, E. (eds.) Trust Management VIII. IFIP AICT, vol. 430, pp. 61–76. Springer, Heidelberg (2014)Google Scholar
  13. 13.
    Li, W., Meng, W.: Enhancing collaborative intrusion detection networks using intrusion sensitivity in detecting pollution attacks. Inf. Comput. Secur. 24(3), 265–276 (2016). EmeraldCrossRefGoogle Scholar
  14. 14.
    Meng, W., Li, W., Kwok, L.-F.: Design of intelligent KNN-based alarm filter using knowledge-based alert verification in intrusion detection. Secur. Commun. Netw. 8(18), 3883–3895 (2015). WileyCrossRefGoogle Scholar
  15. 15.
    Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A., Govindan, R.: COSSACK: Coordinated Suppression of Simultaneous Attacks. In: Proceedings of the 2003 DARPA Information Survivability Conference and Exposition (DISCEX), pp. 94–96 (2003)Google Scholar
  16. 16.
    Porras, P.A., Neumann, P.G.: Emerald: event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference, pp. 353–365 (1997)Google Scholar
  17. 17.
    Scarfone, K., Mell, P.: Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800–94 (2007)Google Scholar
  18. 18.
    Snapp, S.R., et al.: DIDS (Distributed Intrusion Detection System) - motivation, architecture, and an early prototype. In: Proceedings of the 14th National Computer Security Conference, pp. 167–176 (1991)Google Scholar
  19. 19.
    Snort: An an open source network intrusion prevention and detection system (IDS/IPS).
  20. 20.
    Tuan, T.A.: A game-theoretic analysis of trust management in P2P systems. In: Proceedings of ICCE, pp. 130–134 (2006)Google Scholar
  21. 21.
    Wu, Y.-S., Foo, B., Mei, Y., Bagchi, S.: Collaborative Intrusion Detection System (CIDS): a framework for accurate and efficient IDS. In: Proceedings of the 2003 Annual Computer Security Applications Conference (ACSAC), pp. 234–244 (2003)Google Scholar
  22. 22.
    Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the DOMINO overlay system. In: Proceedings of the 2004 Network and Distributed System Security Symposium (NDSS), pp. 1–17 (2004)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Wenjuan Li
    • 1
  • Weizhi Meng
    • 2
    • 3
    Email author
  • Lam-For Kwok
    • 1
  • Horace Ho Shing Ip
    • 1
  1. 1.Department of Computer ScienceCity University of Hong KongKowloon TongHong Kong
  2. 2.Infocomm Security DepartmentInstitute for Infocomm ResearchSingaporeSingapore
  3. 3.Department of Applied Mathematics and Computer ScienceTechnical University of DenmarkKongens LyngbyDenmark

Personalised recommendations