A privacy-preserving interdomain audit framework
Proceedings of the 5th ACM workshop on Privacy in electronic society
Automated adaptive intrusion containment in systems of interacting services
Computer Networks: The International Journal of Computer and Telecommunications Networking
A game-theoretical approach to incentive design in collaborative intrusion detection network
GameNets'09 Proceedings of the First ICST international conference on Game Theory for Networks
Proposing a multi-touch interface for intrusion detection environments
Proceedings of the Seventh International Symposium on Visualization for Cyber Security
CIPS: coordinated intrusion prevention system
ICOIN'05 Proceedings of the 2005 international conference on Information Networking: convergence in broadband and mobile networking
PeerSec: towards peer production and crowdsourcing for enhanced security
HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
Journal of Network and Systems Management
Game theory meets network security and privacy
ACM Computing Surveys (CSUR)
Hi-index | 0.00 |
In this paper, we present the design and implementation ofa Collaborative Intrusion Detection System (CIDS) foraccurate and efficient intrusion detection in a distributedsystem. CIDS employs multiple specialized detectors at thedifferent layers - network, kernel and application - and amanager based framework for aggregating the alarms fromthe different detectors to provide a combined alarm for anintrusion. The premise is that a carefully designed andconfigured CIDS can increase the accuracy of detectioncompared to individual detectors, without a substantialdegradation in performance. In order to validate the premise,we present the design and implementation of a CIDS whichemploys Snort, Libsafe, and a new kernel level IDS calledSysmon. The manager has a graph-based and a Bayesiannetwork based aggregation method for combining the alarmsto finally come up with a decision about the intrusion. Thesystem is evaluated using a web-based electronic store frontapplication and under three different classes of attacks -buffer overflow, flooding and script-based attacks. The resultsshow performance degradations compared to no detection of3.9% and 6.3% under normal workload and a buffer overflowattack respectively. The experiments to evaluate the accuracyof the system show that the normal workload generates falsealarms for Snort and the elementary detectors produce missedalarms. CIDS does not flag the false alarm and reduces theincidence of missed alarms to 1 of the 7 cases. CIDS can alsobe used to measure the propagation time of an intrusion whichis useful in choosing an appropriate response strategy.