On Collaborative Intrusion Detection

Cyber-attacks have nowadays become more frightening than ever before. The growing dependency of our society on networked systems aggravates these threats; from interconnected corporate networks and Industrial Control Systems (ICSs) to smart households, the attack surface for the adversaries is increasing. At the same time, it is becoming evident that the utilization of classic fields of security research alone, e.g., cryptography, or the usage of isolated traditional defense mechanisms, e.g., firewalls and Intrusion Detection Systems ( IDSs ), is not enough to cope with the imminent security challenges. To move beyond monolithic approaches and concepts that follow a “cat and mouse” paradigm between the defender and the attacker, cyber-security research requires novel schemes. One such promis- ing approach is collaborative intrusion detection. Driven by the lessons learned from cyber-security research over the years, the aforesaid notion attempts to connect two instinctive questions: “if we acknowledge the fact that no security mechanism can detect all attacks, can we beneficially combine multiple approaches to operate together?” and “as the adversaries increasingly collaborate (e.g., Distributed Denial of Service (DDoS) attacks from whichever larger botnets) to achieve their goals, can the defenders beneficially collude too?”. Collabora- tive intrusion detection attempts to address the emerging security challenges by providing methods for IDSs and other security mech- anisms (e.g., firewalls and honeypots) to combine their knowledge towards generating a more holistic view of the monitored network. This thesis improves the state of the art in collaborative intrusion detection in several areas. In particular, the dissertation proposes methods for the detection of complex attacks and the generation of the corresponding intrusion detection signatures. Moreover, a novel approach for the generation of alert datasets is given, which can assist researchers in evaluating intrusion detection algorithms and systems. Furthermore, a method for the construction of communities of collab- orative monitoring sensors is given, along with a domain-awareness approach that incorporates an efficient data correlation mechanism. With regard to attacks and countermeasures, a detailed methodology is presented that is focusing on sensor-disclosure attacks in the con- text of collaborative intrusion detection. The scientific contributions can be structured into the following categories: Alert data generation: This thesis deals with the topic of alert data generation in a twofold manner: first it presents novel approaches for detecting complex attacks towards generating alert signatures for IDSs ; second a method for the synthetic generation of alert data is pro- posed. In particular, a novel security mechanism for mobile devices is proposed that is able to support users in assessing the security status of their networks. The system can detect sophisticated attacks and generate signatures to be utilized by IDSs . The dissertation also touches the topic of synthetic, yet realistic, dataset generation for the evaluation of intrusion detection algorithms and systems; it proposes a novel dynamic dataset generation concept that overcomes the short- comings of the related work. Collaborative intrusion detection: As a first step, the the- sis proposes a novel taxonomy for collaborative intrusion detection ac- companied with building blocks for Collaborative IDSs ( CIDSs ). More- over, the dissertation deals with the topics of (alert) data correlation and aggregation in the context of CIDSs . For this, a number of novel methods are proposed that aim at improving the clustering of mon- itoring sensors that exhibit similar traffic patterns. Furthermore, a novel alert correlation approach is presented that can minimize the messaging overhead of a CIDS. Attacks on CIDSs: It is common for research on cyber-defense to switch its perspective, taking on the viewpoint of attackers, trying to anticipate their remedies against novel defense approaches. The the- sis follows such an approach by focusing on a certain class of attacks on CIDSs that aim at identifying the network location of the monitor- ing sensors. In particular, the state of the art is advanced by proposing a novel scheme for the improvement of such attacks. Furthermore, the dissertation proposes novel mitigation techniques to overcome both the state of art and the proposed improved attacks. Evaluation: All the proposals and methods introduced in the dis- sertation were evaluated qualitatively, quantitatively and empirically. A comprehensive study of the state of the art in collaborative intru- sion detection was conducted via a qualitative approach, identifying research gaps and surveying the related work. To study the effective- ness of the proposed algorithms and systems extensive simulations were utilized. Moreover, the applicability and usability of some of the contributions in the area of alert data generation was additionally supported via Proof of Concepts (PoCs) and prototypes. The majority of the contributions were published in peer-reviewed journal articles, in book chapters, and in the proceedings of interna- tional conferences and workshops

SweetCam: an IP Camera Honeypot

The utilization of the Internet of Things (IoT) as an attack surface is nowadays a fact. Taking IP cameras as a use-case, they have been targeted to a great extent mainly due to the absence of authentication, the utilization of weak, in terms of security, protocols, and their high availability. To cope with the current situation and study the current state of attacks against IP cameras we propose the use of cyber-deception and in particular honeypots. Honeypots can provide useful insights into current attack campaigns, and they can divert attackers’ attention away from the actual targets.In this paper, we propose an open-source medium interaction IP camera honeypot that requires minimal settings while supporting a modular architecture for adding new camera models. The honeypot, namely SweetCam, supports the emulation of SSH, RTSP and HTTP. Furthermore, it creates a web-service (HTTP) that depicts an IP camera interface with a login page and the emulation of a camera interface using user-specified 360-degree video streams and images. We deploy instances of the honeypot in different geographical locations, for a period of 3 weeks, and receive a total of 5,780, 1,402 and 218,344 attacks on HTTP, RTSP and SSH services respectively; from 5,924 unique IPs. Lastly, we further analyze the attacks, and identify common Internet scanners (e.g., Shodan) among the services that have contacted the honeypots

TRIDEnT: Building Decentralized Incentives for Collaborative Security

Sophisticated mass attacks, especially when exploiting zero-day vulnerabilities, have the potential to cause destructive damage to organizations and critical infrastructure. To timely detect and contain such attacks, collaboration among the defenders is critical. By correlating real-time detection information (alerts) from multiple sources (collaborative intrusion detection), defenders can detect attacks and take the appropriate defensive measures in time. However, although the technical tools to facilitate collaboration exist, real-world adoption of such collaborative security mechanisms is still underwhelming. This is largely due to a lack of trust and participation incentives for companies and organizations. This paper proposes TRIDEnT, a novel collaborative platform that aims to enable and incentivize parties to exchange network alert data, thus increasing their overall detection capabilities. TRIDEnT allows parties that may be in a competitive relationship, to selectively advertise, sell and acquire security alerts in the form of (near) real-time peer-to-peer streams. To validate the basic principles behind TRIDEnT, we present an intuitive game-theoretic model of alert sharing, that is of independent interest, and show that collaboration is bound to take place infinitely often. Furthermore, to demonstrate the feasibility of our approach, we instantiate our design in a decentralized manner using Ethereum smart contracts and provide a fully functional prototype.Comment: 28 page