Evaluation of a Decentralized Architecture for Large Scale Collaborative Intrusion Detection

An important problem in network intrusion detection is how to detect large scale coordinated attacks such as scans, worms and denial-of-service attacks. These coordinated attacks can be difficult to detect at an early stage, since the evidence of the attack may be widely distributed across different subnetworks in the Internet. A critical issue for research is how to detect these large scale attacks by correlating information from multiple intrusion detection systems in an efficient manner. Several collaborative detection systems have been proposed in the literature. However, these proposals have lacked large scale testing in real networks, and the practicalities of how to optimize the trade-off between detection accuracy and reaction time of these systems has not been demonstrated. To address these challenges, we propose LarSID, a scalable decentralized large scale intrusion detection framework. LarSID provides a service for defending against attacks by sharing potential evidence of intrusions between participant intrusion detection systems via a distributed hash table (DHT) architecture. In particular, we investigate how to optimize the trade-off between detection accuracy and reaction time of LarSID based on an analysis of a large, real-world intrusion detection dataset (DShield Dataset), which has been collected from over 1600 firewall administrators across the world. LarSID has been deployed and tested on the PlanetLab testbed, and is built on top of OpenDHT - a public DHT service. Our experimental results show significant reductions in detection latency compared to a centralized detection architecture. Currently, LarSID has been deployed on 128 PlanetLab nodes as a large scale intrusion detection service.

[1]  Somesh Jha,et al.  Fusion and Filtering in Distributed Intrusion Detection Systems , 2004 .

[2]  Kotagiri Ramamohanarao,et al.  A probabilistic approach to detecting network scans , 2002, NOMS 2002. IEEE/IFIP Network Operations and Management Symposium. ' Management Solutions for the New Communications World'(Cat. No.02CH37327).

[3]  D. M. Green,et al.  Signal detection theory and psychophysics , 1966 .

[4]  Frédéric Cuppens,et al.  Decentralized Publish-Subscribe System to Prevent Coordinated Attacks via Alert Correlation , 2004, ICICS.

[5]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[6]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[7]  Brighten Godfrey,et al.  OpenDHT: a public DHT service and its uses , 2005, SIGCOMM '05.

[8]  C. Leckie,et al.  A peer-to-peer collaborative intrusion detection system , 2005, 2005 13th IEEE International Conference on Networks Jointly held with the 2005 IEEE 7th Malaysia International Conf on Communic.

[9]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[10]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[11]  M.E. Locasto,et al.  Towards collaborative security and P2P intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[12]  Ramesh Govindan,et al.  MIND: A Distributed Multi-Dimensional Indexing System for Network Diagnosis , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[13]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[14]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[15]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[16]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[17]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[18]  C. Metz Basic principles of ROC analysis. , 1978, Seminars in nuclear medicine.

[19]  Shanshan Song,et al.  Collaborative Internet Worm Containment , 2005, IEEE Secur. Priv..

[20]  Philip Gross,et al.  Secure "selecticast" for collaborative intrusion detection systems , 2004, ICSE 2004.

[21]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[22]  Kotagiri Ramamohanarao,et al.  Information sharing for distributed intrusion detection systems , 2007, J. Netw. Comput. Appl..

[23]  David R. Karger,et al.  Consistent hashing and random trees: distributed caching protocols for relieving hot spots on the World Wide Web , 1997, STOC '97.

[24]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[25]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[26]  Peng Ning,et al.  Alert correlation through triggering events and common resources , 2004, 20th Annual Computer Security Applications Conference.

[27]  J. Hanley,et al.  The meaning and use of the area under a receiver operating characteristic (ROC) curve. , 1982, Radiology.

[28]  James H. Burrows,et al.  Secure Hash Standard , 1995 .

[29]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[30]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.