73 research outputs found
On Collaborative Intrusion Detection
Cyber-attacks have nowadays become more frightening than ever before. The growing dependency of our society on networked systems aggravates these threats; from interconnected
corporate networks and Industrial Control Systems (ICSs) to smart households, the attack surface for the adversaries is increasing. At the same time, it is becoming evident that the utilization of classic fields of security research alone, e.g., cryptography, or the usage of
isolated traditional defense mechanisms, e.g., firewalls and Intrusion
Detection Systems ( IDSs ), is not enough to cope with the imminent
security challenges.
To move beyond monolithic approaches and concepts that follow a
“cat and mouse” paradigm between the defender and the attacker,
cyber-security research requires novel schemes. One such promis-
ing approach is collaborative intrusion detection. Driven by the lessons learned from cyber-security research over the years, the aforesaid notion attempts to connect two instinctive questions: “if we acknowledge the fact that no security mechanism can detect all attacks, can we
beneficially combine multiple approaches to operate together?” and
“as the adversaries increasingly collaborate (e.g., Distributed Denial
of Service (DDoS) attacks from whichever larger botnets) to achieve
their goals, can the defenders beneficially collude too?”. Collabora-
tive intrusion detection attempts to address the emerging security
challenges by providing methods for IDSs and other security mech-
anisms (e.g., firewalls and honeypots) to combine their knowledge
towards generating a more holistic view of the monitored network.
This thesis improves the state of the art in collaborative intrusion
detection in several areas. In particular, the dissertation proposes
methods for the detection of complex attacks and the generation of
the corresponding intrusion detection signatures. Moreover, a novel
approach for the generation of alert datasets is given, which can assist
researchers in evaluating intrusion detection algorithms and systems.
Furthermore, a method for the construction of communities of collab-
orative monitoring sensors is given, along with a domain-awareness
approach that incorporates an efficient data correlation mechanism.
With regard to attacks and countermeasures, a detailed methodology
is presented that is focusing on sensor-disclosure attacks in the con-
text of collaborative intrusion detection.
The scientific contributions can be structured into
the following categories:
Alert data generation: This thesis deals with the topic of alert
data generation in a twofold manner: first it presents novel approaches
for detecting complex attacks towards generating alert signatures for
IDSs ; second a method for the synthetic generation of alert data is pro-
posed. In particular, a novel security mechanism for mobile devices
is proposed that is able to support users in assessing the security
status of their networks. The system can detect sophisticated attacks
and generate signatures to be utilized by IDSs . The dissertation also
touches the topic of synthetic, yet realistic, dataset generation for the
evaluation of intrusion detection algorithms and systems; it proposes
a novel dynamic dataset generation concept that overcomes the short-
comings of the related work.
Collaborative intrusion detection: As a first step, the the-
sis proposes a novel taxonomy for collaborative intrusion detection ac-
companied with building blocks for Collaborative IDSs ( CIDSs ). More-
over, the dissertation deals with the topics of (alert) data correlation
and aggregation in the context of CIDSs . For this, a number of novel
methods are proposed that aim at improving the clustering of mon-
itoring sensors that exhibit similar traffic patterns. Furthermore, a
novel alert correlation approach is presented that can minimize the
messaging overhead of a CIDS.
Attacks on CIDSs: It is common for research on cyber-defense to
switch its perspective, taking on the viewpoint of attackers, trying to
anticipate their remedies against novel defense approaches. The the-
sis follows such an approach by focusing on a certain class of attacks
on CIDSs that aim at identifying the network location of the monitor-
ing sensors. In particular, the state of the art is advanced by proposing
a novel scheme for the improvement of such attacks. Furthermore, the
dissertation proposes novel mitigation techniques to overcome both
the state of art and the proposed improved attacks.
Evaluation: All the proposals and methods introduced in the dis-
sertation were evaluated qualitatively, quantitatively and empirically.
A comprehensive study of the state of the art in collaborative intru-
sion detection was conducted via a qualitative approach, identifying
research gaps and surveying the related work. To study the effective-
ness of the proposed algorithms and systems extensive simulations
were utilized. Moreover, the applicability and usability of some of
the contributions in the area of alert data generation was additionally
supported via Proof of Concepts (PoCs) and prototypes.
The majority of the contributions were published in peer-reviewed
journal articles, in book chapters, and in the proceedings of interna-
tional conferences and workshops
SweetCam: an IP Camera Honeypot
The utilization of the Internet of Things (IoT) as an attack surface is nowadays a fact. Taking IP cameras as a use-case, they have been targeted to a great extent mainly due to the absence of authentication, the utilization of weak, in terms of security, protocols, and their high availability. To cope with the current situation and study the current state of attacks against IP cameras we propose the use of cyber-deception and in particular honeypots. Honeypots can provide useful insights into current attack campaigns, and they can divert attackers’ attention away from the actual targets.In this paper, we propose an open-source medium interaction IP camera honeypot that requires minimal settings while supporting a modular architecture for adding new camera models. The honeypot, namely SweetCam, supports the emulation of SSH, RTSP and HTTP. Furthermore, it creates a web-service (HTTP) that depicts an IP camera interface with a login page and the emulation of a camera interface using user-specified 360-degree video streams and images. We deploy instances of the honeypot in different geographical locations, for a period of 3 weeks, and receive a total of 5,780, 1,402 and 218,344 attacks on HTTP, RTSP and SSH services respectively; from 5,924 unique IPs. Lastly, we further analyze the attacks, and identify common Internet scanners (e.g., Shodan) among the services that have contacted the honeypots
TRIDEnT: Building Decentralized Incentives for Collaborative Security
Sophisticated mass attacks, especially when exploiting zero-day
vulnerabilities, have the potential to cause destructive damage to
organizations and critical infrastructure. To timely detect and contain such
attacks, collaboration among the defenders is critical. By correlating
real-time detection information (alerts) from multiple sources (collaborative
intrusion detection), defenders can detect attacks and take the appropriate
defensive measures in time. However, although the technical tools to facilitate
collaboration exist, real-world adoption of such collaborative security
mechanisms is still underwhelming. This is largely due to a lack of trust and
participation incentives for companies and organizations. This paper proposes
TRIDEnT, a novel collaborative platform that aims to enable and incentivize
parties to exchange network alert data, thus increasing their overall detection
capabilities. TRIDEnT allows parties that may be in a competitive relationship,
to selectively advertise, sell and acquire security alerts in the form of
(near) real-time peer-to-peer streams. To validate the basic principles behind
TRIDEnT, we present an intuitive game-theoretic model of alert sharing, that is
of independent interest, and show that collaboration is bound to take place
infinitely often. Furthermore, to demonstrate the feasibility of our approach,
we instantiate our design in a decentralized manner using Ethereum smart
contracts and provide a fully functional prototype.Comment: 28 page
- …