1st Edition
Intrusion Detection Networks A Key to Collaborative Security
The rapidly increasing sophistication of cyber intrusions makes them nearly impossible to detect without the use of a collaborative intrusion detection network (IDN). Using overlay networks that allow an intrusion detection system (IDS) to exchange information, IDNs can dramatically improve your overall intrusion detection accuracy.
Intrusion Detection Networks: A Key to Collaborative Security focuses on the design of IDNs and explains how to leverage effective and efficient collaboration between participant IDSs. Providing a complete introduction to IDSs and IDNs, it explains the benefits of building IDNs, identifies the challenges underlying their design, and outlines possible solutions to these problems. It also reviews the full-range of proposed IDN solutions—analyzing their scope, topology, strengths, weaknesses, and limitations.
- Includes a case study that examines the applicability of collaborative intrusion detection to real-world malware detection scenarios
- Illustrates distributed IDN architecture design
- Considers trust management, intrusion detection decision making, resource management, and collaborator management
The book provides a complete overview of network intrusions, including their potential damage and corresponding detection methods. Covering the range of existing IDN designs, it elaborates on privacy, malicious insiders, scalability, free-riders, collaboration incentives, and intrusion detection efficiency. It also provides a collection of problem solutions to key IDN design challenges and shows how you can use various theoretical tools in this context.
The text outlines comprehensive validation methodologies and metrics to help you improve efficiency of detection, robustness against malicious insiders, incentive-compatibility for all participants, and scalability in network size. It concludes by highlighting open issues and future challenges.
INTRODUCTION
CYBER INTRUSIONS AND INTRUSION DETECTION
Cyber Intrusions
Overview of Cyber Intrusions
Malware
Vulnerabilities Exploitation
Denial-of-Service Attack
Web-Based Attacks
DNS Attack
Organized Attacks and Botnets
Spam and Phishing
Mobile Device Security
Cyber Crime and Cyber Warfare
A Taxonomy of Cyber Intrusions
Summary
Intrusion Detection
Intrusion Detection Systems
Signature-Based and Anomaly-Based IDSs
Host-Based and Network-Based IDSs
Other Types of IDSs
Strength and Limitations of IDSs
Collaborative Intrusion Detection Networks
Motivation for IDS Collaboration
Challenges of IDS Collaboration
Overview of Existing Intrusion Detection Networks
Cooperation Topology
Cooperation Scope
Collaboration Type
Specialization
Cooperation Technologies and Algorithms
Data Correlation
Trust Management
Load Balancing
Taxonomy
Selected Intrusion Detection Networks
Indra
DOMINO
DShield
NetShield
CIDS
Gossip
Worminator
ABDIAS
CRIM
ALPACAS
CDDHT
SmartScreen Filter
CloudAV
FFCIDN
CMDA
Summary
DESIGN OF AN INTRUSION DETECTION NETWORK
Collaborative Intrusion Detection Networks Architecture Design
Introduction
Collaboration Framework
Network Join Process
Consultation Requests
Test Messages
Communication Overlay
Mediator
Trust Management
Acquaintance Management
Resource Management
Feedback Aggregation
Discussion
Privacy Issues
Insider Attacks
Summary
Trust Management
Introduction
Background
Trust Management Model
Satisfaction Mapping
Dirichlet-Based Model
Evaluating the Trustworthiness of a Peer
Test Message Exchange Rate and Scalability of Our System
Robustness against Common Threats
Newcomer Attacks
Betrayal Attacks
Collusion Attacks
Inconsistency Attacks
Simulations and Experimental Results
Simulation Setting
Modeling the Expertise Level of a Peer
Deception Models
Trust Values and Confidence Levels for Honest Peers
Trust Values for Dishonest Peers
Robustness of Our Trust Model
Scalability of Our Trust Model
Efficiency of Our Trust Model
Conclusions and Future Work
Collaborative Decision
Introduction
Background
Collaborative Decision Model
Modeling of Acquaintances
Collaborative Decision
Sequential Hypothesis Testing
Threshold Approximation
Performance Evaluation
Simulation
Simple Average Model
Weighted Average Model
Bayesian Decision Model
Modeling of a Single IDS
Detection Accuracy and Cost
Cost under Homogeneous Environment
Cost under Heterogeneous Environment
Cost and the Number of Acquaintances
Sequential Consultation
Robustness and Scalability of the System
Conclusion
Resource Management
Introduction
Background
Resource Management and Incentive Design
Modeling of Resource Allocation
Characterization of Nash Equilibrium
Incentive Properties
Primal / Dual Iterative Algorithm
Experiments and Evaluation
Nash Equilibrium Computation
Nash Equilibrium Using Distributed Computation
Robustness Evaluation
Free-Riding
Denial-of-Service (DoS) Attacks
Dishonest Insiders
Large-Scale Simulation
Conclusion
Collaborators Selection and Management
Introduction
Background
IDS Identification and Feedback Aggregation
Detection Accuracy for a Single IDS
Feedback Aggregation
Acquaintance Management
Problem Statement
Acquaintance Selection Algorithm
Acquaintance Management Algorithm
Evaluation
Simulation Setting
Determining the Test Message Rate
Efficiency of Our Feedback Aggregation
Cost and the Number of Collaborators
Efficiency of Acquaintance Selection Algorithms
Evaluation of Acquaintance Management Algorithm
Convergence
Stability
Incentive Compatibility
Robustness
Conclusion and Future Work
OTHER TYPES OF IDN DESIGN
Knowledge-Based Intrusion Detection Networks and Knowledge Propagation
Introduction
Background
Knowledge Sharing IDN Architecture
Network Topology
Communication Framework
Snort Rules
Authenticated Network Join Operation
Feedback Collector
Trust Evaluation and Acquaintance Management
Knowledge Propagation Control
An Example
Knowledge Sharing and Propagation Model
Lower Level – Public Utility Optimization
Upper Level – Private Utility Optimization
Tuning Parameter Rij
Nash Equilibrium
Price of Anarchy Analysis
Knowledge Propagation
Bayesian Learning and Dynamic Algorithms
Bayesian Learning Model for Trust
Dirichlet Learning Model for Knowledge Quality
Credible-Bound Estimation of Trust
Dynamic Algorithm to Find the Prime NE at Node
Evaluation
Simulation Setup
Trust Value Learning
Convergence of Distributed Dynamic Algorithm
Scalability and Quality of Information (QoI)
Incentive Compatibility and Fairness
Robustness of the System
Conclusion
Collaborative Malware Detection Networks
Introduction
Background
Collaborative Malware Detection
Decision Models for Collaborative Malware Detection
Static Threshold
Weighted Average
Decision Tree
Bayesian Decision
Collaboration Framework
Architecture Design
Communication Overhead and Privacy Issue
Adversaries and Free-Riding
Collaborative Decision Model
Problem Statement and RevMatch Model
Feedback Relaxation
Labeled History Update
Evaluation
Data Sets
Experiment Setting
Ranking of AVs
Static Threshold
Weighted Average
Decision Tree
Bayesian Decision
RevMatch
Comparison between Different Decision Models
Robustness against Insider Attacks
Acquaintance List Length and Efficiency
Discussion
Runtime Efficiency on Decision
Partial Feedback
Tuning Flexibility
Comparison
Zero-Day Malware Detection
History Poison Flooding Attack
Conclusion and Future Work
CONCLUSION
APPENDICES
Examples of Intrusion Detection Rules and Alerts
Examples of Snort Rules
Example of an Intrusion Alert in IDMEF Format
Proofs
Proof of Proposition 9.4.3
Proof of Theorem 9.2
Proof of Proposition 9.4.4
Proof of Proposition 9.4.5
Proof of Proposition 9.4.6
References
Index
Biography
Carol Fung is an assistant professor of computer science at the Virginia Commonwealth University (USA). She received her Bachelor's and Master's degrees in computer science from the university of Manitoba (Canada), and her PhD degree in computer science from the university of Waterloo (Canada). Her research interests include collaborative intrusion detection networks, social networks, security issues in mobile networks and medical systems, location-based services for mobile phones, and machine learning in intrusion detection. She is the recipient of the best dissertation awards in IM2013, the best student paper award in CNSM2011 and the best paper award in IM2009. She received numerous prestige awards and scholarships including Google Anita Borg scholarship, NSERC Postdoc fellowship, David Cheriton Scholarship, NSERC Postgraduate Scholarship, and President’s graduate scholarship. She has been a visiting scholar at POSTECH (South Korea), a software engineer at Google, and a research staff at BlackBerry.
Raouf Boutaba is a professor of computer science at the University of Waterloo (Canada) and a distinguished visiting professor at POSTECH (South Korea). He served as a distinguished speaker of the IEEE Communications Society and the IEEE Computer Society. He is the founding chair of the IEEE Communications Society Technical Committee on Autonomic Communications, and the founding Editor in Chief of the IEEE Transactions on Network and Service Management (2007-2010). He is currently on the advisory editorial board of the Journal of Network and Systems Management, and on the editorial board of the IEEE Transactions on Mobile Computing, the IEEE Communication Surveys and Tutorials, the KICS/IEEE Journal of Communications and Networks, the International Journal on Network Management (ACM/Wiley), the Wireless Communications and Mobile Computing (Wiley) and the Journal on Internet Services and Applications (Springer). His research interests include resource and service management in networked systems. He has published extensively in these areas and received several journal and conference best paper awards such as the IEEE 2008 Fred W. Ellersick Prize Paper Award, the 2001 KICS/IEEE Journal on Communications and Networks Best Paper Award, the IM 2007 and 2009 and the CNSM 2010 Best Paper Awards among others. He also received several recognitions such as the Premier’s Research Excellence Award, Nortel research excellence Awards, a fellowship of the Faculty of Mathematics, David R. Cheriton faculty fellowships, outstanding performance awards at Waterloo and the NSERC discovery accelerator award. He has also received the IEEE Communications Society Hal Sobol Award and the IFIP Silver Core in 2007, the IEEE Communications Society Joe LociCero award and the IFIP/IEEE Dan Stokesbury award in 2009, and the IFIP/IEEE Salah Aidarous award in 2012. He is a Fellow of the IEEE and the EIC.
