Abstract
The dependency of our society on networked computers has become frightening: In the economy, all-digital networks have turned from facilitators to drivers; as cyber-physical systems are coming of age, computer networks are now becoming the central nervous systems of our physical world—even of highly critical infrastructures such as the power grid. At the same time, the 24/7 availability and correct functioning of networked computers has become much more threatened: The number of sophisticated and highly tailored attacks on IT systems has significantly increased. Intrusion Detection Systems (IDSs) are a key component of the corresponding defense measures; they have been extensively studied and utilized in the past. Since conventional IDSs are not scalable to big company networks and beyond, nor to massively parallel attacks, Collaborative IDSs (CIDSs) have emerged. They consist of several monitoring components that collect and exchange data. Depending on the specific CIDS architecture, central or distributed analysis components mine the gathered data to identify attacks. Resulting alerts are correlated among multiple monitors in order to create a holistic view of the network monitored. This article first determines relevant requirements for CIDSs; it then differentiates distinct building blocks as a basis for introducing a CIDS design space and for discussing it with respect to requirements. Based on this design space, attacks that evade CIDSs and attacks on the availability of the CIDSs themselves are discussed. The entire framework of requirements, building blocks, and attacks as introduced is then used for a comprehensive analysis of the state of the art in collaborative intrusion detection, including a detailed survey and comparison of specific CIDS approaches.
- Eugene Albin and Neil C. Rowe. 2012. A realistic experimental comparison of the suricata and snort intrusion-detection systems. In Proceedings of the 26th International Conference on Advanced Information Networking and Applications Workshops. IEEE, 122--127. Google ScholarDigital Library
- Stephanos Androutsellis-Theotokis and Diomidis Spinellis. 2004. A survey of peer-to-peer content distribution technologies. ACM Computing Surveys (CSUR) 36, 4 (2004), 335--371. Google ScholarDigital Library
- Stefan Axelsson. 2000. Intrusion Detection Systems: A Survey and Taxonomy. Technical Report. Department of Computer Engineering, Chalmers University.Google Scholar
- Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif, and Felix Freiling. 2006. The nepenthes platform: An efficient approach to collect malware. Lecture Notes in Computer Science 4219 (2006), 165--184. Google ScholarDigital Library
- Jai Sundar Balasubramaniyan, Jose Omar Garcia-fernandez, David Isacoff, Eugene Spafford, and Diego Zamboni Ý. 1998. An architecture for intrusion detection using autonomous agents. In Proceedings of the IEEE Computer Security Applications Conference. 13--24. Google ScholarDigital Library
- Bazara I. A. Barry and H. Anthony Chan. 2010. Intrusion detection systems. In Handbook of Information and Communication Security. Springer Berlin, 193--205.Google Scholar
- John Bethencourt, J. Franklin, and M. Vernon. 2005. Mapping internet sensors with probe response attacks. In Proceedings of the 14th USENIX Security Symposium. 193--208. Google ScholarDigital Library
- Michael Brinkmeier, Mathias Fischer, Sascha Grau, and Guenter Schaefer. 2009. Towards the design of unexploitable construction mechanisms for multiple-tree based P2P streaming systems. In Kommunikation in Verteilten Systemen (KiVS). Springer, Berlin, 193--204.Google Scholar
- Andrei Broder and Michael Mitzenmacher. 2004. Network applications of bloom filters: A survey. Internet Mathematics 1, 4 (Jan. 2004), 485--509.Google ScholarCross Ref
- Rainer Bye, Seyit Ahmet Campete, and Sahin Albayrak. 2010. Collaborative intrusion detection framework: Characteristics, adversarial opportunities and countermeasures. In Proceedings of the Workshop on Collaborative Methods for Security and Privacy (CollSec). 1--12. Google ScholarDigital Library
- Yu Chen Cai, Min, Kai Hwang, Yu-Kwong Kwok, and Shanshan Song. 2005. Collaborative internet worm containment. IEEE Security and Privacy Magazine 3, 3 (May 2005), 25--33. Google ScholarDigital Library
- Antony I. T. Castro, Miguel, Druschel, Peter Kermarrec, and A.-M. Rowstron. 2002. Scribe: A large-scale and decentralized application-level multicast infrastructure. IEEE Journal on Selected Areas in Communications 20, 8 (Oct. 2002), 1489--1499. Google ScholarDigital Library
- Varun Chandola, Arindam Banerjee, and Vipin Kumar. 2009. Anomaly detection: A survey. Computer Surveys 41, 3 (July 2009), 1--58. Google ScholarDigital Library
- Tsung-huan Cheng, Y. Lin, Yuan-cheng Lai, and Po-ching Lin. 2011. Evasion techniques: Sneaking through your intrusion detection/prevention systems. IEEE Communications Surveys & Tutorials 99 (2011), 1--10.Google Scholar
- Steven Cheung, Rick Crawford, Mark Dilger, Jeremy Frank, Jim Hoagland, Karl Levitt, Je Rowe, Stuart Staniford-chen, Raymond Yip, and Dan Zerkle. 1999. The Design of GrIDS: A Graph-Based Intrusion Detection System. Technical Report. University of California at Davis.Google Scholar
- Mark Crosbie, B. Dole, T. Ellis, Ivan Krsul, and E. H. Spafford. 1996. Idiot-Users Guide. Technical Report.Google Scholar
- Frédéric Cuppens. 2001. Managing alerts in a multi-intrusion detection environment. In Annual Computer Security Applications. IEEE, 22--31. Google ScholarDigital Library
- Frédéric Cuppens and Alexandre Miège. 2002. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the IEEE Symposium on Security and Privacy (S&P’’02). IEEE, 202--215. Google ScholarDigital Library
- Zoltán Czirkos and Gábor Hosszú. 2012. Enhancing collaborative intrusion detection methods using a kademlia overlay network. In Proceedings of hte 18th EUNICE/IFIP WG 6.2, 6.6 International Conference, Vol. 7479. Springer, 52--63.Google ScholarCross Ref
- Oliver Dain and Robert K. Cunningham. 2001. Fusing a heterogeneous alert stream into scenarios. In Proceedings of the ACM Workshop on Data Mining for Security Applications. 1--13.Google Scholar
- Herve Debar, David A. Curry, and Benjamin S. Feinstein. 2007. The Intrusion Detection Message Exchange Format (IDMEF). The Internet Engineering Task Force (IETF).Google Scholar
- Hervé Debar, Marc Dacier, and Andreas Wespi. 1999. Towards a taxonomy of intrusion-detection systems. Computer Networks 31, 8 (April 1999), 805--822. Google ScholarDigital Library
- Herve Debar and Andreas Wespi. 2001. Aggregation and correlation of intrusion-detection alerts. In Recent Advances in Intrusion Detection. Springer, 85--103. Google ScholarDigital Library
- John R. Douceur. 2002. The sybil attack. In Peer-to-Peer Systems. Springer, Berlin, 251--260. Google ScholarDigital Library
- Claudiu Duma, Martin Karresand, Nahid Shahmehri, and Germano Caronni. 2006. A trust-aware, P2P-based overlay for intrusion detection. In Proceedings of the International Conference on Database and Expert Systems Applications (DEXA’06). IEEE, 692--697. Google ScholarDigital Library
- Steven T. Eckmann, Giovanni Vigna, and Richard A. Kemmerer. 2002. STATL: An attack language for state-based intrusion detection. Journal of Computer Security 10, 1--2 (2002), 71--103. Google ScholarDigital Library
- Huwaida Tagelsir Elshoush and Izzeldin Mohamed Osman. 2011. Alert correlation in collaborative intelligent intrusion detection systems—A survey. Applied Soft Computing 11, 7 (Oct. 2011), 4349--4365. Google ScholarDigital Library
- Prahlad Fogla, Monirul I. Sharif, Roberto Perdisci, Oleg M. Kolesnikov, and Wenke Lee. 2006. Polymorphic blending attacks. In Proceedings of the USENIX Security Symposium. 241--256. Google ScholarDigital Library
- Carol Fung. 2011. Collaborative intrusion detection networks and insider attacks. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications 2, 1 (2011), 63--74.Google Scholar
- Carol Fung, Olga Baysal, Jie Zhang, Issam Aib, and Raouf Boutaba. 2008. Trust management for host-based collaborative intrusion detection. Managing Large-Scale Service Deployment 5273 (2008), 109--122. Google ScholarDigital Library
- Carol J. Fung, Jie Zhang, Issam Aib, and Raouf Boutaba. 2009. Robust and scalable trust management for collaborative intrusion detection. In Proceedings of the International Symposium on Integrated Network Management. IEEE, 33--40. Google ScholarDigital Library
- Ayalvadi J. Ganesh, A.-M. Kermarrec, and Laurent Massoulié. 2003. Peer-to-peer membership management for gossip-based protocols. IEEE Transactions on Computing 52, 2 (Feb. 2003), 139--149. Google ScholarDigital Library
- Joaquin Garcia, Fabien Autrel, Joan Borrell, Sergio Castillo, Frederic Cuppens, and Guillermo Navarro. 2004. Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation. In Information and Communications Security. Springer, 223--235.Google Scholar
- Pedro Garcia-Teodoro, J. Diaz-Verdejo, Gabriel Maciá-Fernández, and Enrique Vázquez. 2009. Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security 28, 1--2 (Feb. 2009), 18--28. Google ScholarDigital Library
- Manuel Gil Pérez, Félix Gómez Mármol, Gregorio Martínez Pérez, and Antonio F. Skarmeta Gómez. 2013. RepCIDN: A reputation-based collaborative intrusion detection network to lessen the impact of malicious alarms. Journal of Network and Systems Management 21, 1 (March 2013), 128--167. Google ScholarDigital Library
- Li Gong. 2001. JXTA: A network programming environment. IEEE Internet Computing 5, 3 (2001), 88--95. Google ScholarDigital Library
- John R. Goodall, Wayne G. Lutters, and Anita Komlodi. 2004. I know my network: Collaboration and expertise in intrusion detection. In Proceedings of the ACM Conference on Computer Supported Cooperative Work. ACM, 342--345. Google ScholarDigital Library
- Nicholas J. A. Harvey, Michael B. Jones, Stefan Saroiu, Marvin Theimer, and Alec Wolman. 2003. Skipnet: A scalable overlay network with practical locality properties. In Proceedings of the USENIX Symposium on Internet Technologies and Systems (USITS), Vol. 4. USENIX Association, Seattle, WA, 1--14. Google ScholarDigital Library
- Mark D. Hill. 1990. What is scalability? ACM SIGARCH Computer Architecture News 18, 4 (1990), 18--21. Google ScholarDigital Library
- Ramaprabhu Janakiraman, Marcel Waldvogel, and Qi Zhang. 2003. Indra: A peer-to-peer approach to network intrusion detection and prevention. In Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE’03). IEEE, 226--231. Google ScholarDigital Library
- Peyman Kabiri and Ali A. Ghorbani. 2005. Research on intrusion detection and response: A survey. International Journal of Network Security 1, 2 (2005), 84--102.Google Scholar
- Sepandar D. Kamvar, Mario T. Schlosser, and Hector Garcia-Molina. 2003. The eigentrust algorithm for reputation management in P2P networks. In Proceedings of the 12th International Conference on World Wide Web (WWW’03). 640. Google ScholarDigital Library
- Pradeep Kannadiga and Mohammad Zulkernine. 2005. DIDMA: A distributed intrusion detection system using mobile agents. In Proceedings of the International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing. IEEE, 238--245. Google ScholarDigital Library
- Christopher Krügel, Thomas Toth, and Clemens Kerer. 2002. Decentralized event correlation for intrusion detection. In Proceedings of the International Conference on Information Security and Cryptology (ICISC’02), Vol. 2288. Springer, Berlin, 114--131. Google ScholarDigital Library
- Christopher Krugel, Thomas Toth, and Engin Kirda. 2002. Service specific anomaly detection for network intrusion detection. In Proceedings of the ACM Symposium on Applied Computing (SAC’02). ACM, 201--208. Google ScholarDigital Library
- Butler W. Lampson. 1973. A note on the confinement problem. Communications of the ACM 16, 10 (Oct. 1973), 613--615. Google ScholarDigital Library
- Aleksandar Lazarevic, Vipin Kumar, and Jaideep Srivastava. 2005. Intrusion detection: A survey. In Managing Cyber Threats. Vol. 5. Springer, 19--78.Google Scholar
- Zhichun Li, Yan Chen, and Aaron Beach. 2006. Towards scalable and robust distributed intrusion alert fusion with good load balancing. In Proceedings of the SIGCOMM Workshop on Large-Scale Attack Defense (LSAD’06). ACM, New York, 115--122. Google ScholarDigital Library
- Richard Lippmann, Joshua W. Haines, David J. Fried, Jonathan Korba, and Kumar Das. 2000. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34, 4 (Oct. 2000), 579--595. Google ScholarDigital Library
- Michael E. Locasto, Janak J. Parekh, Angelos D. Keromytis, and Salvatore J. Stolfo. 2005. Towards collaborative security and P2P intrusion detection. In Proceedings of the IEEE Workshop on Information Assurance and Security. IEEE, 333--339.Google Scholar
- Michael E. Locasto, Janak J. Parekh, Salvatore Stolfo, and Vishal Misra. 2004. Collaborative Distributed Intrusion Detection. Technical Report. Columbia University.Google Scholar
- Mirco Marchetti, Michele Messori, and Michele Colajanni. 2009. Peer-to-peer architecture for collaborative intrusion and malware detection on a large scale. Lecture Notes in Computer Science 5735 (2009), 475--490. Google ScholarDigital Library
- Sergio Marti and Hector Garcia-Molina. 2006. Taxonomy of trust: Categorizing P2P reputation systems. Computer Networks 50, 4 (March 2006), 472--484. Google ScholarDigital Library
- Vern Paxson. 1999. Bro: A system for detecting network intruders in real-time. Computer Networks 31, 23--24 (Dec. 1999), 2435--2463. Google ScholarDigital Library
- Phillip A. Porras, Martin W. Fong, and Alfonso Valdes. 2002. A mission-impact-based approach to INFOSEC alarm correlation. In Proceedings of the Conference on Recent Advances in Intrusion Detection (RAID’02). Springer, 95--114. Google ScholarDigital Library
- Phillip A. Porras and Peter G. Neumann. 1997. EMERALD: Event monitoring enabling response to anomalous live disturbances. In Proceedings of the National Information Systems Security Conference (NISSC’97). 353--365.Google Scholar
- Georgios Portokalidis, Asia Slowinska, and Herbert Bos. 2006. Argos: An emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation. ACM SIGOPS Operating Systems Review 40, 4 (2006), 15--27. Google ScholarDigital Library
- Moheeb Abu Rajab, Fabian Monrose, and Andreas Terzis. 2006. Fast and evasive attacks: Highlighting the challenges ahead. In Recent Advances in Intrusion Detection, Vol. 4219. Springer, Berlin, 206--225. Google ScholarDigital Library
- Geetha Ramachandran and Delbert Hart. 2004. A P2P intrusion detection system based on mobile agents. In Proceedings of the Southeast Regional Conference ACM-SE. ACM, 185--190. Google ScholarDigital Library
- Paul Resnick, Ko Kuwabara, Richard Zeckhauser, and Eric Friedman. 2000. Reputation systems. Communications of the ACM 43, 12 (2000), 45--48. Google ScholarDigital Library
- Sean Rhea, Dennis Geels, Timothy Roscoe, and John Kubiatowicz. 2004. Handling churn in a DHT. In Proceedings of the USENIX Annual Techincal Conference. 127--140. Google ScholarDigital Library
- Sean Rhea, Brighten Godfrey, and Brad Karp. 2005. OpenDHT: A public DHT service and its uses. ACM SIGCOMM Computer Communication Review 35, 4 (2005), 73--84. Google ScholarDigital Library
- Martin Roesch. 1999. Snort-lightweight intrusion detection for networks. In Proceedings of the USENIX Conference on System Administration. 229--238. Google ScholarDigital Library
- Antony Rowstron and Peter Druschel. 2001. Pastry: Scalable, decentralized object location, and routing for large-scale peer-to-peer systems. Middleware 2001 (2001), 329--350. Google ScholarDigital Library
- Poly Sen, Nabendu Chaki, and Rituparna Chaki. 2008. HIDS: Honesty-rate based collaborative intrusion detection system for mobile ad-hoc networks. In Proceedings of the 7th Computer Information Systems and Industrial Management Applications. IEEE, 121--126. Google ScholarDigital Library
- Yoichi Shinoda, K. Ikai, and M. Itoh. 2005. Vulnerabilities of passive internet threat monitors. In Proceedings of the 14th USENIX Security Symposium. 209--224. Google ScholarDigital Library
- Vitaly Shmatikov and Ming-Hsiu Wang. 2007. Security against probe-response attacks in collaborative intrusion detection. In Proceedings of the Workshop on Large Scale Attack Defense (LSAD’07). ACM, New York, USA, 129--136. Google ScholarDigital Library
- Steven Snapp, James Brentano, Gihan Dias, Terrance Goan, Todd Heberlein, Che-Lin Ho, Karl Levitt, Biswanath Mukherjee, Stephen Smaha, Tim Grance, Daniel Teal, and Doug Mansur. 1991. DIDS (Distributed intrusion detection system): Motivation, architecture, and an early prototype. In Proceedings of the 14th National Computer Security Conference. 167--176.Google Scholar
- Aditya K. Sood and Richard J. Enbody. 2013. Targeted cyber attacks: A superset of advanced persistent threats. IEEE Security & Privacy 11, 1 (2013), 54--61. Google ScholarDigital Library
- Eugene H. Spafford and Diego Zamboni. 2000. Intrusion detection using autonomous agents. Computer Networks 34, 4 (2000), 547--570. Google ScholarDigital Library
- Lance Spitzner. 2003. Honeypots: Catching the insider threat. In Proceedings of the Computer Security Applications Conference. IEEE, 170--179. Google ScholarDigital Library
- A. Srivastava, B. B. Gupta, A. Tyagi, Anupama Sharma, and Anupama Mishra. 2011. A recent survey on DDoS attacks and defense mechanisms. In Advances in Parallel Distributed Computing. Springer, 570--580.Google Scholar
- Staniford-Chen, Steven Cheung Stuart, Richard Crawford, Mark Dilger, Jeremy Frank, James Hoagland, Karl Levitt, Christopher Wee, Raymond Yip, and Dan Zerkle. 1996. GrIDS—A graph based intrusion detection system for large networks. In Proceedings of the National Information Systems Security Conference. 361--370.Google Scholar
- Kymie M. C. Tan, Kevin S. Killourhy, and Roy A. Maxion. 2002. Undermining an anomaly-based intrusion detection system using common exploits. In Recent Advances in Intrusion Detection, Vol. 2516. Springer, Berlin, 54--73. Google ScholarDigital Library
- Alfonso Valdes and Keith Skinner. 2001. Probabilistic alert correlation. In Recent Advances in Intrusion Detection. Springer, 54--68. Google ScholarDigital Library
- Emmanouil Vasilomanolakis, Mathias Fischer, Max Mühlhäuser, Peter Ebinger, Panayotis Kikiras, and Sebastian Schmerl. 2013. Collaborative intrusion detection in smart energy grids. In Proceedings of the International Symposium for ICS & SCADA Cyber Security. Electronic Workshops in Computing (eWiC), 97--100. Google ScholarDigital Library
- Chenfeng Vincent Zhou, Christopher Leckie, and Shanika Karunasekera. 2009. Decentralized multi-dimensional alert correlation for collaborative intrusion detection. Journal of Network and Computer Applications 32, 5 (Sept. 2009), 1106--1123. Google ScholarDigital Library
- Vivek Vishnumurthy and Paul Francis. 2006. On heterogeneous overlay construction and random node selection in unstructured P2P networks. In Proceedings of the International Conference on Computer Communications (INFOCOMM’06). IEEE, 1--12.Google ScholarCross Ref
- Vasileios Vlachos, Stephanos Androutsellis-Theotokis, and Diomidis Spinellis. 2004. Security applications of peer-to-peer networks. Computer Networks 45, 2 (2004), 195--205. Google ScholarDigital Library
- David Wagner and Paolo Soto. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’02). ACM, New York, USA, 255--264. Google ScholarDigital Library
- Vinod Yegneswaran, Paul Barford, and Somesh Jha. 2004. Global intrusion detection in the domino overlay system. In Network and Distributed System Security (NDSS).Google Scholar
- Sebastian Zander, Grenville J. Armitage, and Philip Branch. 2007. A survey of covert channels and countermeasures in computer network protocols. IEEE Communications Surveys 9 (2007), 44--57. Google ScholarDigital Library
- Zheng Zhang, Jun Li, C. N. Manikopoulos, Jay Jorgenson, and Jose Ucles. 2001. HIDE: A hierarchical network intrusion detection system using statistical preprocessing and neural network classification. In Proceedings of the IEEE Workshop on Information Assurance and Security. IEEE, 85--90.Google Scholar
- Chenfeng Vincent Zhou, Shanika Karunasekera, and Christopher Leckie. 2005. A peer-to-peer collaborative intrusion detection system. In Proceedings of the International Conference on Networks. IEEE, 118--123.Google Scholar
- Chenfeng Vincent Zhou, Shanika Karunasekera, and Christopher Leckie. 2007. Evaluation of a decentralized architecture for large scale collaborative intrusion detection. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management. IEEE, 80--89.Google ScholarCross Ref
- Chenfeng Vincent Zhou and Christopher Leckie. 2008. Relieving hot spots in collaborative intrusion detection systems during worm outbreaks. In Proceedings of the 2008 IEEE Network Operations and Management Symposium (NOMS’08). IEEE, 49--56.Google ScholarCross Ref
- Chenfeng Vincent Zhou, Christopher Leckie, and Shanika Karunasekera. 2010. A survey of coordinated attacks and collaborative intrusion detection. Computers & Security 29, 1 (Feb. 2010), 124--140. Google ScholarDigital Library
Index Terms
- Taxonomy and Survey of Collaborative Intrusion Detection
Recommendations
Alert correlation in collaborative intelligent intrusion detection systems-A survey
As complete prevention of computer attacks is not possible, intrusion detection systems (IDSs) play a very important role in minimizing the damage caused by different computer attacks. There are two intrusion detection methods: namely misuse- and ...
A survey of coordinated attacks and collaborative intrusion detection
Coordinated attacks, such as large-scale stealthy scans, worm outbreaks and distributed denial-of-service (DDoS) attacks, occur in multiple networks simultaneously. Such attacks are extremely difficult to detect using isolated intrusion detection ...
Decentralized multi-dimensional alert correlation for collaborative intrusion detection
The growth in coordinated network attacks such as scans, worms and distributed denial-of-service (DDoS) attacks is a profound threat to the security of the Internet. Collaborative intrusion detection systems (CIDSs) have the potential to detect these ...
Comments