Membership Management for unstructured distributed Collaborative IDS
In the recent years, the increasing amount of network traffic put new challenges to the identification of malicious traces within the masses of data. Stand alone Intrusion Detection System (IDS) and Centralised IDSs struggle to process the data. Distributed approaches try to share the workload among nodes, at the cost of network overhead for nodes communicating input data and results. Moreover, sharing data over a network that is only for a subset of the nodes important produces useless overhead and keeps the other nodes from processing data important to them. Furthermore, it is hard to share data privately with only a subset of those nodes.
This thesis proposes a way to only connect the nodes seeing similar network traffic, by first placing the IDS nodes in a Peer-to-Peer (P2P) overlay (i.e., SkipNet). Afterwards, each IDS node inserts its alert data into a bloom filter; a probabilistic data structure. Subsequently, the alert data dissemination begins by exchanging bloom filters, via flooding, of the IDS nodes. The utilization of SkipNet and bloom filters for collaborative intrusion detection, offer two important properties, namely privacy and locality. First, it is not possible to reveal the information that is contained inside a bloom filter and nodes can only start exchanging detailed data after a certain similarity threshold of their traffic is reached. In addition, privacy constraints on sensitive data can be applied through SkipNet’s locality features. While flooding data is highly inefficient in terms of communicational overhead, our experimental results show that our system can be used to find nodes with similar network traffic accurately.
- Emmanouil Vasilomanolakis (vasilomano(a-t)tk.tu-darmstadt.de)
Forschungsgebiete: Telecooperation, CASED , – SSI – Area Secure Smart Infrastructures, Secure Services