Intrusion Detection Networks A Key to Collaborative Security

INTRODUCTION

CYBER INTRUSIONS AND INTRUSION DETECTION

Cyber Intrusions
Introduction
Overview of Cyber Intrusions
     Malware
     Vulnerabilities Exploitation
     Denial-of-Service Attack
     Web-Based Attacks
     DNS Attack
     Organized Attacks and Botnets
     Spam and Phishing
     Mobile Device Security
     Cyber Crime and Cyber Warfare
A Taxonomy of Cyber Intrusions
Summary

Intrusion Detection
Intrusion Detection Systems
     Signature-Based and Anomaly-Based IDSs
     Host-Based and Network-Based IDSs
     Other Types of IDSs
     Strength and Limitations of IDSs
Collaborative Intrusion Detection Networks
     Motivation for IDS Collaboration
     Challenges of IDS Collaboration
Overview of Existing Intrusion Detection Networks
     Cooperation Topology
     Cooperation Scope
     Collaboration Type
     Specialization
     Cooperation Technologies and Algorithms
          Data Correlation
          Trust Management
          Load Balancing
     Taxonomy
Selected Intrusion Detection Networks
     Indra
     DOMINO
     DShield
     NetShield
     CIDS      
     Gossip
     Worminator
     ABDIAS
     CRIM
     ALPACAS
     CDDHT
     SmartScreen Filter
     CloudAV
     FFCIDN
     CMDA
Summary

DESIGN OF AN INTRUSION DETECTION NETWORK

Collaborative Intrusion Detection Networks Architecture Design
Introduction
Collaboration Framework
     Network Join Process
     Consultation Requests
     Test Messages
     Communication Overlay
     Mediator
     Trust Management 
     Acquaintance Management
     Resource Management
     Feedback Aggregation
Discussion
     Privacy Issues
     Insider Attacks
Summary

Trust Management
Introduction
Background
Trust Management Model
     Satisfaction Mapping
     Dirichlet-Based Model
     Evaluating the Trustworthiness of a Peer
Test Message Exchange Rate and Scalability of Our System
Robustness against Common Threats
     Newcomer Attacks
     Betrayal Attacks
     Collusion Attacks
     Inconsistency Attacks
Simulations and Experimental Results 
     Simulation Setting
     Modeling the Expertise Level of a Peer
     Deception Models
     Trust Values and Confidence Levels for Honest Peers
     Trust Values for Dishonest Peers
     Robustness of Our Trust Model
     Scalability of Our Trust Model
     Efficiency of Our Trust Model
Conclusions and Future Work

Collaborative Decision
Introduction
Background
Collaborative Decision Model
     Modeling of Acquaintances
     Collaborative Decision
Sequential Hypothesis Testing
     Threshold Approximation
Performance Evaluation
     Simulation
          Simple Average Model
          Weighted Average Model
          Bayesian Decision Model
     Modeling of a Single IDS
     Detection Accuracy and Cost
          Cost under Homogeneous Environment
          Cost under Heterogeneous Environment
          Cost and the Number of Acquaintances
     Sequential Consultation
     Robustness and Scalability of the System
Conclusion

Resource Management
Introduction
Background
Resource Management and Incentive Design
     Modeling of Resource Allocation
     Characterization of Nash Equilibrium
     Incentive Properties
Primal / Dual Iterative Algorithm
Experiments and Evaluation
     Nash Equilibrium Computation
     Nash Equilibrium Using Distributed Computation 
     Robustness Evaluation
          Free-Riding
          Denial-of-Service (DoS) Attacks 
          Dishonest Insiders 
     Large-Scale Simulation
Conclusion

Collaborators Selection and Management
Introduction
Background
IDS Identification and Feedback Aggregation
      Detection Accuracy for a Single IDS
     Feedback Aggregation
Acquaintance Management
     Problem Statement
     Acquaintance Selection Algorithm
     Acquaintance Management Algorithm
Evaluation
     Simulation Setting
     Determining the Test Message Rate
     Efficiency of Our Feedback Aggregation
     Cost and the Number of Collaborators
     Efficiency of Acquaintance Selection Algorithms
     Evaluation of Acquaintance Management Algorithm
          Convergence
          Stability
          Incentive Compatibility
          Robustness
Conclusion and Future Work

OTHER TYPES OF IDN DESIGN

Knowledge-Based Intrusion Detection Networks and Knowledge Propagation
Introduction
Background
Knowledge Sharing IDN Architecture
     Network Topology
     Communication Framework
     Snort Rules
     Authenticated Network Join Operation
     Feedback Collector
     Trust Evaluation and Acquaintance Management
     Knowledge Propagation Control
     An Example
Knowledge Sharing and Propagation Model
     Lower Level – Public Utility Optimization
     Upper Level – Private Utility Optimization
     Tuning Parameter R_ij
     Nash Equilibrium
     Price of Anarchy Analysis
     Knowledge Propagation
Bayesian Learning and Dynamic Algorithms
     Bayesian Learning Model for Trust
          Dirichlet Learning Model for Knowledge Quality 
          Credible-Bound Estimation of Trust
     Dynamic Algorithm to Find the Prime NE at Node
Evaluation
     Simulation Setup
     Trust Value Learning
     Convergence of Distributed Dynamic Algorithm
     Scalability and Quality of Information (QoI)
     Incentive Compatibility and Fairness
     Robustness of the System
Conclusion

Collaborative Malware Detection Networks
Introduction
Background
     Collaborative Malware Detection
     Decision Models for Collaborative Malware Detection
          Static Threshold 
          Weighted Average
          Decision Tree 
          Bayesian Decision
Collaboration Framework
     Architecture Design
     Communication Overhead and Privacy Issue
     Adversaries and Free-Riding
Collaborative Decision Model
     Problem Statement and RevMatch Model
     Feedback Relaxation
     Labeled History Update
Evaluation
     Data Sets
     Experiment Setting
     Ranking of AVs
     Static Threshold
     Weighted Average
     Decision Tree
     Bayesian Decision
     RevMatch
     Comparison between Different Decision Models
     Robustness against Insider Attacks
     Acquaintance List Length and Efficiency
Discussion
     Runtime Efficiency on Decision
     Partial Feedback
     Tuning Flexibility
     Comparison
     Zero-Day Malware Detection
     History Poison Flooding Attack
Conclusion and Future Work

CONCLUSION

APPENDICES

Examples of Intrusion Detection Rules and Alerts
Examples of Snort Rules
Example of an Intrusion Alert in IDMEF Format

Proofs
Proof of Proposition 9.4.3
Proof of Theorem 9.2
Proof of Proposition 9.4.4
Proof of Proposition 9.4.5
Proof of Proposition 9.4.6
References
Index

Biography

Carol Fung is an assistant professor of computer science at the Virginia Commonwealth University (USA). She received her Bachelor's and Master's degrees in computer science from the university of Manitoba (Canada), and her PhD degree in computer science from the university of Waterloo (Canada). Her research interests include collaborative intrusion detection networks, social networks, security issues in mobile networks and medical systems, location-based services for mobile phones, and machine learning in intrusion detection. She is the recipient of the best dissertation awards in IM2013, the best student paper award in CNSM2011 and the best paper award in IM2009. She received numerous prestige awards and scholarships including Google Anita Borg scholarship, NSERC Postdoc fellowship, David Cheriton Scholarship, NSERC Postgraduate Scholarship, and President’s graduate scholarship. She has been a visiting scholar at POSTECH (South Korea), a software engineer at Google, and a research staff at BlackBerry.

Raouf Boutaba is a professor of computer science at the University of Waterloo (Canada) and a distinguished visiting professor at POSTECH (South Korea). He served as a distinguished speaker of the IEEE Communications Society and the IEEE Computer Society. He is the founding chair of the IEEE Communications Society Technical Committee on Autonomic Communications, and the founding Editor in Chief of the IEEE Transactions on Network and Service Management (2007-2010). He is currently on the advisory editorial board of the Journal of Network and Systems Management, and on the editorial board of the IEEE Transactions on Mobile Computing, the IEEE Communication Surveys and Tutorials, the KICS/IEEE Journal of Communications and Networks, the International Journal on Network Management (ACM/Wiley), the Wireless Communications and Mobile Computing (Wiley) and the Journal on Internet Services and Applications (Springer). His research interests include resource and service management in networked systems. He has published extensively in these areas and received several journal and conference best paper awards such as the IEEE 2008 Fred W. Ellersick Prize Paper Award, the 2001 KICS/IEEE Journal on Communications and Networks Best Paper Award, the IM 2007 and 2009 and the CNSM 2010 Best Paper Awards among others. He also received several recognitions such as the Premier’s Research Excellence Award, Nortel research excellence Awards, a fellowship of the Faculty of Mathematics, David R. Cheriton faculty fellowships, outstanding performance awards at Waterloo and the NSERC discovery accelerator award. He has also received the IEEE Communications Society Hal Sobol Award and the IFIP Silver Core in 2007, the IEEE Communications Society Joe LociCero award and the IFIP/IEEE Dan Stokesbury award in 2009, and the IFIP/IEEE Salah Aidarous award in 2012. He is a Fellow of the IEEE and the EIC.