Decentralized Detection of Distributed Attacks

Research efforts on scalable distributed intrusion detection have been focused on hierarchical IDSs, which organize IDSs into hierarchies and require low-level IDSs send designated information to high-level IDSs. The hierarchies of IDSs are usually developed according to administrative concerns. For example, IDSs for individual hosts are organized under IDSs for departments, while IDSs for departments are organized under an IDS for the entire enterprise. However, there are often mismatches between such organizations of IDSs and detection of distributed attacks. In this chapter, we present an alternative approach to organizing autonomous but cooperative component systems to detect distributed attacks. Our approach is based on the dependency among the distributed events in a signature. Unlike the hierarchical approach, our approach organizes the cooperative IDSs according to the intrinsic relationships between the distributed events involved in attacks, and, as a result, an IDS needs to send a piece of information to another IDS only when the information is essential for detecting the attacks.