Collaborative Intrusion Detection System (CIDS): A Framework for Accurate and Efficient IDS

Yu-Sung Wu, et al.

 

This paper presents a system that integrates intrusion detection mechanism for network, application and kernel levels into one comprehensive system. The motivation behind this work is to improve detection of hostile intrusions by combining intrusion signal from different levels in a distributed system. Individual IDS are often show unsatisfactory performance in either reporting too many false positives or reporting false negatives. The authors propose a model that would combine off-the-shelf IDS for different system components into a system that would exhibit a much improved percentage of detected attacks and would minimize occurrences of false positives. In addition, the authors target performance in order to insure that the overhead of CIDS is not significantly greater than the overhead of a single detector.

 

The authors describe their system and include details for such components as Translation Engine, Inference Engine and Response Engine. One of the innovations in this paper is the use of Bayesian network-based inference engine. This inference technique is studied extensively in artificial intelligence community and its application in the computer security domain is long overdue. In addition to Bayesian engine, the authors use graph-based inference engine to infer an attack from a series of steps detected by the system. This series of steps is supplied by the system administrator in a rule base format. The authors point earlier in a paper that such rule based system can only detect attacks that are known. The authors point out that their future goals include setting up rule object for different attacks in an automated way.

 

Pros:

  1. This system has been implemented and can be tested
  2. Innovation include integration of different IDS into one system
  3. Off-the-shelf products can be part of the system, improving potential deployment
  4. Use of artificial intelligence techniques, Bayesian networks, in a security context

 

Cons:

  1. Response is limited to terminating connections
  2. Manager is a point of failure
  3. Bad statistics for false positives and false negatives
  4. No comparison to other IDS'
  5. System is limited by detector limitations
  6. Inference engine workload can become a performance bottleneck
  7. Difficulty in coming up with new rules

 

Votes:

Strong Accept -1

Accept            - 7

Reject             - 3

Strong Reject - 0