A Distributed Hash Table Assisted Intrusion Prevention System

Using collaborative intrusion detection to sense network intrusions comes at a price of handling an enormous amount of data generated by detection probes, and the problem of properly correlating the evidence collected at different parts of the network. The correlation between the recorded events has to be revealed, as it may be the case that they are part of a complex, large-scale attack, even if they manifested at different parts of the network. In this paper we describe the inner workings a peer-to-peer network based intrusion detection system, which is able to handle the intrusion detection data efficiently while maintaining the accuracy of centralized approaches of correlation. The system is built on a distributed hash table, for which keys are assigned to each piece of intrusion data in a preprocessing step. The network traffic requirements of such a system, and the load balancing that can be achieved by using the Kademlia peer-to-peer overlay network are discussed as well. Keywords-collaborative intrusion detection; attack correlation; peer-to-peer; distributed hash table; Kademlia.

[1]  Diomidis Spinellis,et al.  A PRoactive malware identification system based on the computer hygiene principles , 2007, Inf. Manag. Comput. Secur..

[2]  C. Leckie,et al.  A peer-to-peer collaborative intrusion detection system , 2005, 2005 13th IEEE International Conference on Networks Jointly held with the 2005 IEEE 7th Malaysia International Conf on Communic.

[3]  Márta Rencz,et al.  Improving Attack Aggregation Methods Using Distributed Hash Tables , 2012 .

[4]  Christopher Leckie,et al.  A survey of coordinated attacks and collaborative intrusion detection , 2010, Comput. Secur..

[5]  David Mazières,et al.  Kademlia: A Peer-to-Peer Information System Based on the XOR Metric , 2002, IPTPS.

[6]  Qi Zhang,et al.  Indra: a peer-to-peer approach to network intrusion detection and prevention , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[7]  Giovanni Vigna,et al.  An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[8]  P. Oscar Boykin,et al.  Scalable and Reliable Collaborative Spam Filters: Harnessing the Global Social Email Networks , 2005, CEAS.

[9]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[10]  Tomaž Klobučar,et al.  Security and privacy in advanced networking technologies , 2004 .

[11]  Ben Y. Zhao,et al.  An Infrastructure for Fault-tolerant Wide-area Location and Routing , 2001 .

[12]  G. Hosszú,et al.  Pseudo Reliable Broadcast in the Kademlia P 2 P System , 2012 .

[13]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[14]  Richard A. Kemmerer,et al.  NSTAT: A Model-based Real-time Network Intrusion Detection System , 1998 .

[15]  Diomidis Spinellis,et al.  A survey of peer-to-peer content distribution technologies , 2004, CSUR.

[16]  Stuart Harvey Rubin,et al.  Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[17]  Gábor Fehér,et al.  BotSpot: Anonymous and Distributed Malware Detection , 2010, WiMo.

[18]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[19]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[20]  H. Anthony Chan,et al.  Intrusion Detection Systems , 2010, Handbook of Information and Communication Security.

[21]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.