Collaborative Intrusion Detection System (CIDS): A Framework for Accurate and Efficient IDS
Yu-Sung Wu, et al.
This paper presents a system that integrates intrusion detection mechanism for network, application and kernel levels into one comprehensive system. The motivation behind this work is to improve detection of hostile intrusions by combining intrusion signal from different levels in a distributed system. Individual IDS are often show unsatisfactory performance in either reporting too many false positives or reporting false negatives. The authors propose a model that would combine off-the-shelf IDS for different system components into a system that would exhibit a much improved percentage of detected attacks and would minimize occurrences of false positives. In addition, the authors target performance in order to insure that the overhead of CIDS is not significantly greater than the overhead of a single detector.
The authors describe their system and include details for such components as Translation Engine, Inference Engine and Response Engine. One of the innovations in this paper is the use of Bayesian network-based inference engine. This inference technique is studied extensively in artificial intelligence community and its application in the computer security domain is long overdue. In addition to Bayesian engine, the authors use graph-based inference engine to infer an attack from a series of steps detected by the system. This series of steps is supplied by the system administrator in a rule base format. The authors point earlier in a paper that such rule based system can only detect attacks that are known. The authors point out that their future goals include setting up rule object for different attacks in an automated way.
Pros:
Cons:
Votes:
Strong Accept -1
Accept - 7
Reject - 3
Strong Reject - 0