RepCIDN: A Reputation-based Collaborative Intrusion Detection Network to Lessen the Impact of Malicious Alarms

Pérez, Manuel Gil; Mármol, Félix Gómez; Pérez, Gregorio Martínez; Gómez, Abraham Bernárdez

doi:10.1007/s10922-012-9230-8

Cited by 30 publications

(40 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This is achieved by a probabilistic model whose purpose is to measure the satisfaction level of the received response messages. A number of similar trust mechanisms for CIDSs to cope with insider attacks have been proposed [Fung et al 2008;Duma et al 2006;Sen et al 2008;Gil Pérez et al 2013].…”

Section: Internal Attacksmentioning

confidence: 99%

Taxonomy and Survey of Collaborative Intrusion Detection

et al. 2015

View full text Add to dashboard Cite

The dependency of our society on networked computers has become frightening: In the economy, all-digital networks have turned from facilitators to drivers; as cyber-physical systems are coming of age, computer networks are now becoming the central nervous systems of our physical world-even of highly critical infrastructures such as the power grid. At the same time, the 24/7 availability and correct functioning of networked computers has become much more threatened: The number of sophisticated and highly tailored attacks on IT systems has significantly increased. Intrusion Detection Systems (IDSs) are a key component of the corresponding defense measures; they have been extensively studied and utilized in the past. Since conventional IDSs are not scalable to big company networks and beyond, nor to massively parallel attacks, Collaborative IDSs (CIDSs) have emerged. They consist of several monitoring components that collect and exchange data. Depending on the specific CIDS architecture, central or distributed analysis components mine the gathered data to identify attacks. Resulting alerts are correlated among multiple monitors in order to create a holistic view of the network monitored. This article first determines relevant requirements for CIDSs; it then differentiates distinct building blocks as a basis for introducing a CIDS design space and for discussing it with respect to requirements. Based on this design space, attacks that evade CIDSs and attacks on the availability of the CIDSs themselves are discussed. The entire framework of requirements, building blocks, and attacks as introduced is then used for a comprehensive analysis of the state of the art in collaborative intrusion detection, including a detailed survey and comparison of specific CIDS approaches.

show abstract

Section: Internal Attacksmentioning

confidence: 99%

Taxonomy and Survey of Collaborative Intrusion Detection

et al. 2015

View full text Add to dashboard Cite

show abstract

“…In this context, [3,40] are amongst the first initiatives that evaluate malicious attitudes of IDSs. In [3], a trust-based framework to avoid sharing bogus alerts within collaborative intrusion detection networks was presented.…”

Section: Related Workmentioning

confidence: 99%

“…Furthermore, this approach does not consider the reoutational differences amongst HIDSs. On the other hand, the work presented in [40] proposed a complete trust and reputation system for HIDSs and NIDSs, including their management in intra-and inter-domain environments. However, no distinction is made amongst different sensors, e.g., using their reputation, to maximise information gain through the trust diversity of the domain where they are deployed.…”

Section: Related Workmentioning

confidence: 99%

Trustworthy placements: Improving quality and resilience in collaborative attack detection

et al. 2014

Self Cite

View full text Add to dashboard Cite

In distributed and collaborative attack detection systems decisions are made on the basis of the events reported by many sensors, e.g., Intrusion Detection Systems placed across various network locations. In some cases such events originate at locations over which we have little control, for example because they belong to an organisation that shares information with us. Blindly accepting such reports as real encompasses several risks, as sensors might be dishonest, unreliable or simply compromised. In these situations trust plays an important role in deciding whether alerts should be believed or not. In this work we present an approach to maximise the quality of the information gathered in such systems and the resilience against dishonest behaviours. We introduce the notion of trust diversity amongst sensors and argue that detection configurations with such a property perform much better in many respects. Using reputation as a proxy for trust, we introduce an adaptive scheme to dynamically reconfigure the network of detection sensors. Experiments confirm an overall increase both in detection quality and resilience against compromise and misbehaviour.

show abstract

“…However, this proposal is restricted to the management of HIDSs, leaving Networkbased IDSs (NIDSs) out of scope. Instead, a complete trust and reputation system for HIDSs and NIDSs, including their management in intra-and inter-domain environments, is proposed in [19]. Nevertheless, the reputation model designed for inter-domain scenarios is quite generic, and no experimental results are provided.…”

Section: Trust and Reputation Management Systemmentioning

confidence: 99%

“…Without this evaluation, IDSs with malicious attitudes can lead the AIRS to react mistakenly against a bogus threat. Both [13] and [19] are the first initiatives in this context, although none of them presents an entire model for the trust and reputation management in multi-domain environments.…”

Section: Related Workmentioning

confidence: 99%

RECLAMO: Virtual and Collaborative Honeynets Based on Trust Management and Autonomous Systems Applied to Intrusion Management

Pérez

Lanchas

Cambronero

et al. 2013

2013 Seventh International Conference on Complex, Intelligent, and Software Intensive Systems

View full text Add to dashboard Cite

Abstract-Security intrusions in large systems is a problem due to its lack of scalability with the current IDS-based approaches. This paper describes the RECLAMO project, where an architecture for an Automated Intrusion Response System (AIRS) is being proposed. This system will infer the most appropriate response for a given attack, taking into account the attack type, context information, and the trust and reputation of the reporting IDSs. RECLAMO is proposing a novel approach: diverting the attack to a specific honeynet that has been dynamically built based on the attack information. Among all components forming the RECLAMO's architecture, this paper is mainly focused on defining a trust and reputation management model, essential to recognize if IDSs are exposing an honest behavior in order to accept their alerts as true. Experimental results confirm that our model helps to encourage or discourage the launch of the automatic reaction process.

show abstract

RepCIDN: A Reputation-based Collaborative Intrusion Detection Network to Lessen the Impact of Malicious Alarms

Cited by 30 publications

References 37 publications

Taxonomy and Survey of Collaborative Intrusion Detection

Taxonomy and Survey of Collaborative Intrusion Detection

Trustworthy placements: Improving quality and resilience in collaborative attack detection

RECLAMO: Virtual and Collaborative Honeynets Based on Trust Management and Autonomous Systems Applied to Intrusion Management

Contact Info

Product

Resources

About