Secure "selecticast" for collaborative intrusion detection systems

The problem domain of Collaborative Intrusion Detection Systems (CIDS) introduces distinctive data routing challenges, which we show are solvable through a sufficiently flexible publish-subscribe system. CIDS share intrusion detection data among organizations, usually to predict impending attacks earlier and more accurately, e.g., from Internet worms that tend to attack many sites at once. CIDS participants collect lists of suspect IP addresses, and want to be notified if others are suspicious of the same addresses. The matching must be done efficiently and anonymously, as most organizations are reluctant to share potentially revealing information about their networks. Alerts regarding external probes should only be visible to other CIDS participants experiencing probes from the same source(s). We term this type of simultaneous publish/subscribe “selecticast.” We present a potential solution using the secure Bloom filter data structure propagated over the MEET publishsubscribe framework.

[1]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[2]  Marcos K. Aguilera,et al.  Matching events in a content-based subscription system , 1999, PODC '99.

[3]  Guy M. Lohman,et al.  R* optimizer validation and performance evaluation for local queries , 1986, SIGMOD '86.

[4]  Ben Y. Zhao,et al.  An architecture for a secure service discovery service , 1999, MobiCom.

[5]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[6]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[7]  Peter Triantafillou,et al.  Subscription summarization: a new paradigm for efficient publish/subscribe systems , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[8]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[9]  Joan Feigenbaum,et al.  KeyNote: Trust Management for Public-Key Infrastructures (Position Paper) , 1998, Security Protocols Workshop.

[10]  Peter Triantafillou,et al.  Subscription summaries for scalability and efficiency in publish/subscribe systems , 2002, Proceedings 22nd International Conference on Distributed Computing Systems Workshops.

[11]  Yossi Matias,et al.  Spectral bloom filters , 2003, SIGMOD '03.

[12]  Douglas C. Schmidt,et al.  The design and performance of a real-time CORBA event service , 1997, OOPSLA '97.

[13]  Angelos D. Keromytis,et al.  The STRONGMAN architecture , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[14]  Angelos D. Keromytis,et al.  Key note: Trust management for public-key infrastructures , 1999 .

[15]  Alfonso Fuggetta,et al.  The JEDI Event-Based Infrastructure and Its Application to the Development of the OPSS WFMS , 2001, IEEE Trans. Software Eng..

[16]  Michael Mitzenmacher,et al.  Compressed bloom filters , 2001, PODC '01.

[17]  Alexander L. Wolf,et al.  Security issues and requirements for Internet-scale publish-subscribe systems , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[18]  Karsten Schwan,et al.  Event services for high performance computing , 2000, Proceedings the Ninth International Symposium on High-Performance Distributed Computing.

[19]  David S. Rosenblum,et al.  Design and evaluation of a wide-area event notification service , 2001, TOCS.

[20]  Salvatore J. Stolfo,et al.  Surveillance detection in high bandwidth environments , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[21]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[22]  Li Fan,et al.  Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.