A super-peer architecture to improve intrusion detection and scalability in collaborative intrusion detection network
Collaborative intrusion detection network (CIDN) offers the ability to correlate suspicious activities from various collaborative intrusion detection systems (CIDSs) in different networks to maximize the efficiency of the intrusion detection by sharing the knowledge and resources among them which f...
Saved in:
| Main Author: | |
|---|---|
| Format: | Thesis |
| Language: | English |
| Published: |
2020
|
| Subjects: | |
| Online Access: | http://psasir.upm.edu.my/id/eprint/90709/1/FSKTM%202020%2015%20IR.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Collaborative intrusion detection network (CIDN) offers the ability to correlate suspicious activities from various collaborative intrusion detection systems
(CIDSs) in different networks to maximize the efficiency of the intrusion detection by sharing the knowledge and resources among them which facilitates the
discovery of large-scale and coordinated attacks. Although existing CIDN offers
consultation capability for collaborators when a single CIDS lacks knowledge
about a security event, it does not consider the collaborators’ attack scopes
when requesting for consultation which can result in consulting inexpert peers
and thus, degrade the efficiency of intrusion detection in CIDN and negatively
affect the scalability of the CIDN, while in reality CIDSs have different strengths in various attack areas. In addition, fast-spreading attack (FSA) is one of the
most serious threats in the networked environments that can infect hosts and
propagate in an exponential rate in a short period of time. This type of attack might spread across the nodes and overwhelm the CIDN with consultation requests due to the lack of a mechanism to discover FSA from consultation
requests in the CIDN. In fact, these consultation requests have not been utilized
yet to detect FSA in existing CIDN architectures.
The aim of this study is to propose a scope-aware super-peer CIDN architecture
as well as detecting FSA based on consultation requests that occur within CIDN.
A statistical approach called exponentially weighted moving average (EWMA) is proposed with adaptive threshold to detect fast-spreading attacks (anomaly) in
CIDN. The effectiveness of the proposed architecture has been evaluated
through a discrete-event simulation under different intrusion detection
measurements in terms of detection accuracy, FSA detection, and scalability
with flexibility in adjusting simulation parameters to perform different test scenarios in the CIDN and compare the proposed super-peer CIDN architecture
with the previous unstructured peer-to-peer architecture. Several simulation
scenarios were performed for evaluating the performance of the proposed superpeer
architecture. The simulation results demonstrate the feasibility of the proposed architecture and showed an improved performance in various intrusion detection metrics, including true-positive rate (TPR), true-negative rate (TNR),
false-positive rate (FPR), false-negative rate (FNR), detection accuracy (DA),
receiver operating characteristic (ROC), FSA detection, and overall scalability.
In fact, nodes in the super-peer CIDN architecture are able to obtain more
reliable feedbacks and thus, a better intrusion detection compared to the previous peer-to-peer CIDN architecture. Additionally, the FSA detection and FSA knowledge-base employment in the architecture has shown an improvement in consultation requests and feedbacks reduction and improve the scalability of the proposed architecture. Therefore, the super-peer architecture
is a better solution for CIDN to strengthen the efficiency of intrusion detection as
CIDN scales up as well as reducing the overload of unnecessary consultation requests and feedbacks among collaborators which contributes to effectively
enhance the overall scalability of the architecture. |
|---|