A super-peer architecture to improve intrusion detection and scalability in collaborative intrusion detection network

Collaborative intrusion detection network (CIDN) offers the ability to correlate suspicious activities from various collaborative intrusion detection systems (CIDSs) in different networks to maximize the efficiency of the intrusion detection by sharing the knowledge and resources among them which facilitates the discovery of large-scale and coordinated attacks. Although existing CIDN offers consultation capability for collaborators when a single CIDS lacks knowledge about a security event, it does not consider the collaborators’ attack scopes when requesting for consultation which can result in consulting inexpert peers and thus, degrade the efficiency of intrusion detection in CIDN and negatively affect the scalability of the CIDN, while in reality CIDSs have different strengths in various attack areas. In addition, fast-spreading attack (FSA) is one of the most serious threats in the networked environments that can infect hosts and propagate in an exponential rate in a short period of time. This type of attack might spread across the nodes and overwhelm the CIDN with consultation requests due to the lack of a mechanism to discover FSA from consultation requests in the CIDN. In fact, these consultation requests have not been utilized yet to detect FSA in existing CIDN architectures. The aim of this study is to propose a scope-aware super-peer CIDN architecture as well as detecting FSA based on consultation requests that occur within CIDN. A statistical approach called exponentially weighted moving average (EWMA) is proposed with adaptive threshold to detect fast-spreading attacks (anomaly) in CIDN. The effectiveness of the proposed architecture has been evaluated through a discrete-event simulation under different intrusion detection measurements in terms of detection accuracy, FSA detection, and scalability with flexibility in adjusting simulation parameters to perform different test scenarios in the CIDN and compare the proposed super-peer CIDN architecture with the previous unstructured peer-to-peer architecture. Several simulation scenarios were performed for evaluating the performance of the proposed superpeer architecture. The simulation results demonstrate the feasibility of the proposed architecture and showed an improved performance in various intrusion detection metrics, including true-positive rate (TPR), true-negative rate (TNR), false-positive rate (FPR), false-negative rate (FNR), detection accuracy (DA), receiver operating characteristic (ROC), FSA detection, and overall scalability. In fact, nodes in the super-peer CIDN architecture are able to obtain more reliable feedbacks and thus, a better intrusion detection compared to the previous peer-to-peer CIDN architecture. Additionally, the FSA detection and FSA knowledge-base employment in the architecture has shown an improvement in consultation requests and feedbacks reduction and improve the scalability of the proposed architecture. Therefore, the super-peer architecture is a better solution for CIDN to strengthen the efficiency of intrusion detection as CIDN scales up as well as reducing the overload of unnecessary consultation requests and feedbacks among collaborators which contributes to effectively enhance the overall scalability of the architecture.

Text FSKTM 2020 15 IR.pdf Download (1MB)

Actions (login required)

View Item