On Collaborative Intrusion Detection
AbstractCyber-attacks have nowadays become more frightening than ever before. The growing dependency of our society on networked systems aggravates these threats; from interconnected
corporate networks and Industrial Control Systems (ICSs) to smart households, the attack surface for the adversaries is increasing. At the same time, it is becoming evident that the utilization of classic fields of security research alone, e.g., cryptography, or the usage of
isolated traditional defense mechanisms, e.g., firewalls and Intrusion
Detection Systems ( IDSs ), is not enough to cope with the imminent
To move beyond monolithic approaches and concepts that follow a
“cat and mouse” paradigm between the defender and the attacker,
cyber-security research requires novel schemes. One such promis-
ing approach is collaborative intrusion detection. Driven by the lessons learned from cyber-security research over the years, the aforesaid notion attempts to connect two instinctive questions: “if we acknowledge the fact that no security mechanism can detect all attacks, can we
beneficially combine multiple approaches to operate together?” and
“as the adversaries increasingly collaborate (e.g., Distributed Denial
of Service (DDoS) attacks from whichever larger botnets) to achieve
their goals, can the defenders beneficially collude too?”. Collabora-
tive intrusion detection attempts to address the emerging security
challenges by providing methods for IDSs and other security mech-
anisms (e.g., firewalls and honeypots) to combine their knowledge
towards generating a more holistic view of the monitored network.
This thesis improves the state of the art in collaborative intrusion
detection in several areas. In particular, the dissertation proposes
methods for the detection of complex attacks and the generation of
the corresponding intrusion detection signatures. Moreover, a novel
approach for the generation of alert datasets is given, which can assist
researchers in evaluating intrusion detection algorithms and systems.
Furthermore, a method for the construction of communities of collab-
orative monitoring sensors is given, along with a domain-awareness
approach that incorporates an efficient data correlation mechanism.
With regard to attacks and countermeasures, a detailed methodology
is presented that is focusing on sensor-disclosure attacks in the con-
text of collaborative intrusion detection.
The scientific contributions can be structured into
the following categories:
Alert data generation: This thesis deals with the topic of alert
data generation in a twofold manner: first it presents novel approaches
for detecting complex attacks towards generating alert signatures for
IDSs ; second a method for the synthetic generation of alert data is pro-
posed. In particular, a novel security mechanism for mobile devices
is proposed that is able to support users in assessing the security
status of their networks. The system can detect sophisticated attacks
and generate signatures to be utilized by IDSs . The dissertation also
touches the topic of synthetic, yet realistic, dataset generation for the
evaluation of intrusion detection algorithms and systems; it proposes
a novel dynamic dataset generation concept that overcomes the short-
comings of the related work.
Collaborative intrusion detection: As a first step, the the-
sis proposes a novel taxonomy for collaborative intrusion detection ac-
companied with building blocks for Collaborative IDSs ( CIDSs ). More-
over, the dissertation deals with the topics of (alert) data correlation
and aggregation in the context of CIDSs . For this, a number of novel
methods are proposed that aim at improving the clustering of mon-
itoring sensors that exhibit similar traffic patterns. Furthermore, a
novel alert correlation approach is presented that can minimize the
messaging overhead of a CIDS.
Attacks on CIDSs: It is common for research on cyber-defense to
switch its perspective, taking on the viewpoint of attackers, trying to
anticipate their remedies against novel defense approaches. The the-
sis follows such an approach by focusing on a certain class of attacks
on CIDSs that aim at identifying the network location of the monitor-
ing sensors. In particular, the state of the art is advanced by proposing
a novel scheme for the improvement of such attacks. Furthermore, the
dissertation proposes novel mitigation techniques to overcome both
the state of art and the proposed improved attacks.
Evaluation: All the proposals and methods introduced in the dis-
sertation were evaluated qualitatively, quantitatively and empirically.
A comprehensive study of the state of the art in collaborative intru-
sion detection was conducted via a qualitative approach, identifying
research gaps and surveying the related work. To study the effective-
ness of the proposed algorithms and systems extensive simulations
were utilized. Moreover, the applicability and usability of some of
the contributions in the area of alert data generation was additionally
supported via Proof of Concepts (PoCs) and prototypes.
The majority of the contributions were published in peer-reviewed
journal articles, in book chapters, and in the proceedings of interna-
tional conferences and workshops