1st Edition

Intrusion Detection Networks A Key to Collaborative Security

By Carol Fung, Raouf Boutaba Copyright 2014
    262 Pages 92 B/W Illustrations
    by Auerbach Publications

    262 Pages 92 B/W Illustrations
    by Auerbach Publications

    The rapidly increasing sophistication of cyber intrusions makes them nearly impossible to detect without the use of a collaborative intrusion detection network (IDN). Using overlay networks that allow an intrusion detection system (IDS) to exchange information, IDNs can dramatically improve your overall intrusion detection accuracy.

    Intrusion Detection Networks: A Key to Collaborative Security
    focuses on the design of IDNs and explains how to leverage effective and efficient collaboration between participant IDSs. Providing a complete introduction to IDSs and IDNs, it explains the benefits of building IDNs, identifies the challenges underlying their design, and outlines possible solutions to these problems. It also reviews the full-range of proposed IDN solutions—analyzing their scope, topology, strengths, weaknesses, and limitations.

    • Includes a case study that examines the applicability of collaborative intrusion detection to real-world malware detection scenarios
    • Illustrates distributed IDN architecture design
    • Considers trust management, intrusion detection decision making, resource management, and collaborator management

    The book provides a complete overview of network intrusions, including their potential damage and corresponding detection methods. Covering the range of existing IDN designs, it elaborates on privacy, malicious insiders, scalability, free-riders, collaboration incentives, and intrusion detection efficiency. It also provides a collection of problem solutions to key IDN design challenges and shows how you can use various theoretical tools in this context.

    The text outlines comprehensive validation methodologies and metrics to help you improve efficiency of detection, robustness against malicious insiders, incentive-compatibility for all participants, and scalability in network size. It concludes by highlighting open issues and future challenges.

    INTRODUCTION

    CYBER INTRUSIONS AND INTRUSION DETECTION

    Cyber Intrusions
    Introduction
    Overview of Cyber Intrusions
         Malware
         Vulnerabilities Exploitation
         Denial-of-Service Attack
         Web-Based Attacks
         DNS Attack
         Organized Attacks and Botnets
         Spam and Phishing
         Mobile Device Security
         Cyber Crime and Cyber Warfare
    A Taxonomy of Cyber Intrusions
    Summary

    Intrusion Detection
    Intrusion Detection Systems
         Signature-Based and Anomaly-Based IDSs
         Host-Based and Network-Based IDSs
         Other Types of IDSs
         Strength and Limitations of IDSs
    Collaborative Intrusion Detection Networks
         Motivation for IDS Collaboration
         Challenges of IDS Collaboration
    Overview of Existing Intrusion Detection Networks
         Cooperation Topology
         Cooperation Scope
         Collaboration Type
         Specialization
         Cooperation Technologies and Algorithms
              Data Correlation
              Trust Management
              Load Balancing
         Taxonomy
    Selected Intrusion Detection Networks
         Indra
         DOMINO
         DShield
         NetShield
         CIDS      
         Gossip
         Worminator
         ABDIAS
         CRIM
         ALPACAS
         CDDHT
         SmartScreen Filter
         CloudAV
         FFCIDN
         CMDA
    Summary

    DESIGN OF AN INTRUSION DETECTION NETWORK

    Collaborative Intrusion Detection Networks Architecture Design
    Introduction
    Collaboration Framework
         Network Join Process
         Consultation Requests
         Test Messages
         Communication Overlay
         Mediator
         Trust Management 
         Acquaintance Management
         Resource Management
         Feedback Aggregation
    Discussion
         Privacy Issues
         Insider Attacks
    Summary

    Trust Management
    Introduction
    Background
    Trust Management Model
         Satisfaction Mapping
         Dirichlet-Based Model
         Evaluating the Trustworthiness of a Peer
    Test Message Exchange Rate and Scalability of Our System
    Robustness against Common Threats
         Newcomer Attacks
         Betrayal Attacks
         Collusion Attacks
         Inconsistency Attacks
    Simulations and Experimental Results 
         Simulation Setting
         Modeling the Expertise Level of a Peer
         Deception Models
         Trust Values and Confidence Levels for Honest Peers
         Trust Values for Dishonest Peers
         Robustness of Our Trust Model
         Scalability of Our Trust Model
         Efficiency of Our Trust Model
    Conclusions and Future Work

    Collaborative Decision
    Introduction
    Background
    Collaborative Decision Model
         Modeling of Acquaintances
         Collaborative Decision
    Sequential Hypothesis Testing
         Threshold Approximation
    Performance Evaluation
         Simulation
              Simple Average Model
              Weighted Average Model
              Bayesian Decision Model
         Modeling of a Single IDS
         Detection Accuracy and Cost
              Cost under Homogeneous Environment
              Cost under Heterogeneous Environment
              Cost and the Number of Acquaintances
         Sequential Consultation
         Robustness and Scalability of the System
    Conclusion

    Resource Management
    Introduction
    Background
    Resource Management and Incentive Design
         Modeling of Resource Allocation
         Characterization of Nash Equilibrium
         Incentive Properties
    Primal / Dual Iterative Algorithm
    Experiments and Evaluation
         Nash Equilibrium Computation
         Nash Equilibrium Using Distributed Computation 
         Robustness Evaluation
              Free-Riding
              Denial-of-Service (DoS) Attacks 
              Dishonest Insiders 
         Large-Scale Simulation
    Conclusion

    Collaborators Selection and Management
    Introduction
    Background
    IDS Identification and Feedback Aggregation
          Detection Accuracy for a Single IDS
         Feedback Aggregation
    Acquaintance Management
         Problem Statement
         Acquaintance Selection Algorithm
         Acquaintance Management Algorithm
    Evaluation
         Simulation Setting
         Determining the Test Message Rate
         Efficiency of Our Feedback Aggregation
         Cost and the Number of Collaborators
         Efficiency of Acquaintance Selection Algorithms
         Evaluation of Acquaintance Management Algorithm
              Convergence
              Stability
              Incentive Compatibility
              Robustness
    Conclusion and Future Work

    OTHER TYPES OF IDN DESIGN

    Knowledge-Based Intrusion Detection Networks and Knowledge Propagation
    Introduction
    Background
    Knowledge Sharing IDN Architecture
         Network Topology
         Communication Framework
         Snort Rules
         Authenticated Network Join Operation
         Feedback Collector
         Trust Evaluation and Acquaintance Management
         Knowledge Propagation Control
         An Example
    Knowledge Sharing and Propagation Model
         Lower Level – Public Utility Optimization
         Upper Level – Private Utility Optimization
         Tuning Parameter Rij
         Nash Equilibrium
         Price of Anarchy Analysis
         Knowledge Propagation
    Bayesian Learning and Dynamic Algorithms
         Bayesian Learning Model for Trust
              Dirichlet Learning Model for Knowledge Quality 
              Credible-Bound Estimation of Trust
         Dynamic Algorithm to Find the Prime NE at Node
    Evaluation
         Simulation Setup
         Trust Value Learning
         Convergence of Distributed Dynamic Algorithm
         Scalability and Quality of Information (QoI)
         Incentive Compatibility and Fairness
         Robustness of the System
    Conclusion

    Collaborative Malware Detection Networks
    Introduction
    Background
         Collaborative Malware Detection
         Decision Models for Collaborative Malware Detection
              Static Threshold 
              Weighted Average
              Decision Tree 
              Bayesian Decision
    Collaboration Framework
         Architecture Design
         Communication Overhead and Privacy Issue
         Adversaries and Free-Riding
    Collaborative Decision Model
         Problem Statement and RevMatch Model
         Feedback Relaxation
         Labeled History Update
    Evaluation
         Data Sets
         Experiment Setting
         Ranking of AVs
         Static Threshold
         Weighted Average
         Decision Tree
         Bayesian Decision
         RevMatch
         Comparison between Different Decision Models
         Robustness against Insider Attacks
         Acquaintance List Length and Efficiency
    Discussion
         Runtime Efficiency on Decision
         Partial Feedback
         Tuning Flexibility
         Comparison
         Zero-Day Malware Detection
         History Poison Flooding Attack
    Conclusion and Future Work

    CONCLUSION

    APPENDICES

    Examples of Intrusion Detection Rules and Alerts
    Examples of Snort Rules
    Example of an Intrusion Alert in IDMEF Format

    Proofs
    Proof of Proposition 9.4.3
    Proof of Theorem 9.2
    Proof of Proposition 9.4.4
    Proof of Proposition 9.4.5
    Proof of Proposition 9.4.6
    References
    Index

    Biography

    Carol Fung is an assistant professor of computer science at the Virginia Commonwealth University (USA). She received her Bachelor's and Master's degrees in computer science from the university of Manitoba (Canada), and her PhD degree in computer science from the university of Waterloo (Canada). Her research interests include collaborative intrusion detection networks, social networks, security issues in mobile networks and medical systems, location-based services for mobile phones, and machine learning in intrusion detection. She is the recipient of the best dissertation awards in IM2013, the best student paper award in CNSM2011 and the best paper award in IM2009. She received numerous prestige awards and scholarships including Google Anita Borg scholarship, NSERC Postdoc fellowship, David Cheriton Scholarship, NSERC Postgraduate Scholarship, and President’s graduate scholarship. She has been a visiting scholar at POSTECH (South Korea), a software engineer at Google, and a research staff at BlackBerry.

    Raouf Boutaba is a professor of computer science at the University of Waterloo (Canada) and a distinguished visiting professor at POSTECH (South Korea). He served as a distinguished speaker of the IEEE Communications Society and the IEEE Computer Society. He is the founding chair of the IEEE Communications Society Technical Committee on Autonomic Communications, and the founding Editor in Chief of the IEEE Transactions on Network and Service Management (2007-2010). He is currently on the advisory editorial board of the Journal of Network and Systems Management, and on the editorial board of the IEEE Transactions on Mobile Computing, the IEEE Communication Surveys and Tutorials, the KICS/IEEE Journal of Communications and Networks, the International Journal on Network Management (ACM/Wiley), the Wireless Communications and Mobile Computing (Wiley) and the Journal on Internet Services and Applications (Springer). His research interests include resource and service management in networked systems. He has published extensively in these areas and received several journal and conference best paper awards such as the IEEE 2008 Fred W. Ellersick Prize Paper Award, the 2001 KICS/IEEE Journal on Communications and Networks Best Paper Award, the IM 2007 and 2009 and the CNSM 2010 Best Paper Awards among others. He also received several recognitions such as the Premier’s Research Excellence Award, Nortel research excellence Awards, a fellowship of the Faculty of Mathematics, David R. Cheriton faculty fellowships, outstanding performance awards at Waterloo and the NSERC discovery accelerator award. He has also received the IEEE Communications Society Hal Sobol Award and the IFIP Silver Core in 2007, the IEEE Communications Society Joe LociCero award and the IFIP/IEEE Dan Stokesbury award in 2009, and the IFIP/IEEE Salah Aidarous award in 2012. He is a Fellow of the IEEE and the EIC.