When Intrusion Detection Meets Blockchain Technology: A Review

With the purpose of identifying cyber threats and possible incidents, intrusion detection systems (IDSs) are widely deployed in various computer networks. In order to enhance the detection capability of a single IDS, collaborative intrusion detection networks (or collaborative IDSs) have been developed, which allow IDS nodes to exchange data with each other. However, data and trust management still remain two challenges for current detection architectures, which may degrade the effectiveness of such detection systems. In recent years, blockchain technology has shown its adaptability in many fields, such as supply chain management, international payment, interbanking, and so on. As blockchain can protect the integrity of data storage and ensure process transparency, it has a potential to be applied to intrusion detection domain. Motivated by this, this paper provides a review regarding the intersection of IDSs and blockchains. In particular, we introduce the background of intrusion detection and blockchain, discuss the applicability of blockchain to intrusion detection, and identify open challenges in this direction

Collaborative internet worm containment

Large-scale worm outbrakes that leads to distributed denial-of-dervice attacks pose a major threat to internet infrastructure security. To prevent computers from such attacks deployment of fast, scalable security overlay networks based on distributed hash tables to facilitate high-speed intrusion detection and alert-information exchange are proposed. An effective system for worm detection and cyberspace defence must have robustness, cooperation among multiple sites, responsiveness to unexpected worms and efficiency and scalability. Deployment of collaborative WormShield monitors on just 1 percent of the vulnerable edge networks can detect worm signatures roughly 10 times faster than with independent monitors.published_or_final_versio

DISCUS: A massively distributed IDS architecture using a DSL-based configuration

International audienceNowadays, cloud computing becomes quite popular and a lot of research is done on services it provides. Most of security challenges induced by this new architecture are not yet tackled. In this work, we propose a new security architecture, based on a massively distributed network of security solutions, to address these challenges. Current solutions, like IDS or firewalls, were not formerly designed to detect attacks that draw profit from the cloud structure. Our solution DISCUS is based on a distributed architecture using both physical and virtual probes, along with former security solutions (IDS and firewalls). This paper describes DISCUS SCRIPT, a dedicated language that provides an easy way to configure the components of our solution

Design and evaluation of advanced collusion attacks on collaborative intrusion detection networks in practice

Joint 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 10th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Symposium on Parallel and Distributed Processing with Applications, IEEE TrustCom/BigDataSE/ISPA 2016, Tianjin, China, 23-26 August 2016To encourage collaboration among single intrusion detection systems (IDSs), collaborative intrusion detection networks (CIDNs) have been developed that enable different IDS nodes to communicate information with each other. This distributed network infrastructure aims to improve the detection performance of a single IDS, but may suffer from various insider attacks like collusion attacks, where several malicious nodes can collaborate to perform adversary actions. To defend against insider threats, challenge-based trust mechanisms have been proposed in the literature and proven to be robust against collusion attacks. However, we identify that such mechanisms depend heavily on an assumption of malicious nodes, which is not likely to be realistic and may lead to a weak threat model in practical scenarios. In this paper, we analyze the robustness of challenge-based CIDNs in real-world applications and present an advanced collusion attack, called random poisoning attack, which derives from the existing attacks. In the evaluation, we investigate the attack performance in both simulated and real CIDN environments. Experimental results demonstrate that our attack can enables a malicious node to send untruthful information without decreasing its trust value at large. Our research attempts to stimulate more research in designing more robust CIDN framework in practice.Department of Computing2016-2017 > Academic research: refereed > Refereed conference paperbcw

Design and Management of Collaborative Intrusion Detection Networks

In recent years network intrusions have become a severe threat to the privacy and safety of computer users. Recent cyber attacks compromise a large number of hosts to form botnets. Hackers not only aim at harvesting private data and identity information from compromised nodes, but also use the compromised nodes to launch attacks such as distributed denial-of-service (DDoS) attacks. As a counter measure, Intrusion Detection Systems (IDS) are used to identify intrusions by comparing observable behavior against suspicious patterns. Traditional IDSs monitor computer activities on a single host or network traffic in a sub-network. They do not have a global view of intrusions and are not effective in detecting fast spreading attacks, unknown, or new threats. In turn, they can achieve better detection accuracy through collaboration. An Intrusion Detection Network (IDN) is such a collaboration network allowing IDSs to exchange information with each other and to benefit from the collective knowledge and experience shared by others. IDNs enhance the overall accuracy of intrusion assessment as well as the ability to detect new intrusion types. Building an effective IDN is however a challenging task. For example, adversaries may compromise some IDSs in the network and then leverage the compromised nodes to send false information, or even attack others in the network, which can compromise the efficiency of the IDN. It is, therefore, important for an IDN to detect and isolate malicious insiders. Another challenge is how to make efficient intrusion detection assessment based on the collective diagnosis from other IDSs. Appropriate selection of collaborators and incentive-compatible resource management in support of IDSs' interaction with others are also key challenges in IDN design. To achieve efficiency, robustness, and scalability, we propose an IDN architecture and especially focus on the design of four of its essential components, namely, trust management, acquaintance management, resource management, and feedback aggregation. We evaluate our proposals and compare them with prominent ones in the literature and show their superiority using several metrics, including efficiency, robustness, scalability, incentive-compatibility, and fairness. Our IDN design provides guidelines for the deployment of a secure and scalable IDN where effective collaboration can be established between IDSs