Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing.

Published byJacob Thompson Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing."— Presentation transcript:

1 Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing

2 Network Intrusions Unwanted traffic or computer activities that may be malicious and destructive –Denial of Service –Identity theft –Spam mails Single-host intrusion Cooperative attacks

3 Intrusion Detection Systems Designed to monitor network traffic or computer activities and alert administrators for suspicious intrusions –Signature-based and anomaly-based –Host-based and network-based

4 Figure 1. An example of host-based IDS and Network-based IDS

5 Cooperative IDS IDSs use collective information from others to make more accurate intrusion detection Several features of CIDN –Topology –Cooperation Scope –Specialization –Cooperation Technology

6 Cooperation Technology Data Correlation Trust Management Load balance

7 Table 1. Classification of Cooperative Intrusion Detection Networks IDNTopologyScopeSpecializationTechnology and algorithm IndraDistributedLocalWorm- DOMINODecentralizedHybridWorm- DShieldCentralizedGlobalGeneralData Correlation NetShieldDistributedGlobalWormLoad-balancing GossipDistributedLocalWorm- Worminator-GlobalWorm- ABDIASDecentralizedHybridGeneralTrust Management CRIMCentralizedLocalGeneralData Correlation HBCIDSDistributedGlobalGeneralTrust Management ALPACASDistributedGlobalSpamLoad-balancing CDDHTDecentralizedLocalGeneral- SmartScreenCentralizedGlobalPhishing- FFCIDNCentralizedGlobalBotnetData correlation

8 Indra A early proposal on Cooperative intrusion detection Cooperation nodes take proactive approach to share black list with others

9 DOMINO Monitor internet outbreaks for large-scale networks Nodes are organized hierarchically Different roles are assigned to nodes

10 Dshield A centralized firewall log correlation system Data is from the SANS internet storm center Not a real time analysis system Data payload is removed for privacy concern

11 NetShield A fully distributed system to monitor epidemic worm and DoS attacks The DHT Chord P2P system is used to load-balance the participating nodes Alarm is triggered if the local prevalence of a content block exceeds a threshold Only works on worms with fixed attacking traces, not work on polymorphic worms

12 Gossip-based Intrusion Detection A local epidemic worm monitoring system A local detector raises a alert when the number of newly created connections exceeds a threshold A Bayesian network analysis system is used to correlate and aggregate alerts

13 ABDIAS Agent-based Distributed alert system IDSs are grouped into communities Intra-community/inter-community communication A Bayesian network system is used to make decisions

14 CRIM A centralized system to collect alerts from participating IDSs Alert correlation rules are generated by humans offline New rules are used to detect global-wide intrusions

15 Host-based CIDS A cooperative intrusion system where IDSs share detection experience with others Alerts from one host is sent to neighbors for analysis Feedback is aggregated based on the trust-worthiness of the neighbor Trust values are updated after every interaction experience

16 ALPACAS A cooperative spam filtering system Preserve the privacy of the email owners A p2p system is used for the scalability of the system Emails are divided into feature trunks and digested into feature finger prints

17 SmartScreen Phsihing URL filtering system in IE8 Allow users to report phishing websites A centralized decision system to analyze collected data and make generate the blacklist Users browsing a phishing site will be warned by SmartScreen

18 FFCIDN A collaborative intrusion detection network to detect fastflux botnet Observe the number of unique IP addresses a domain has. A threshold is derived to decide whether the domain is a fastflux phishing domain

19 Open Challenges Privacy of the exchanged information Incentive of IDS cooperation Botnet detection and removal

20 Conclusion CIDNs use collective information from participants to achieve higher intrusion detection accuracy A taxonomy to categorize different CIDNs –Four features are proposed for the taxonomy The future challenges include how to encourage participation and provide privacy for data-sharing among IDSs

Download ppt "Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing."

Similar presentations

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.

Collaborating Against Common Enemies Sachin Katti Balachander Krishnamurthy and Dina Katabi AT&T Labs-Research & MIT CSAIL.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Similar presentations

Ads by Google