Collaborative intrusion detection system (CIDS): A framework for accurate and efficient IDS

Yu-Sung Wu, Bingrui Foo, Yongguo Mei, Saurabh Bagchi

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

98 Scopus citations

Abstract

We present the design and implementation of a collaborative intrusion detection system (CIDS) for accurate and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the different layers - network, kernel and application - and a manager based framework for aggregating the alarms from the different detectors to provide a combined alarm for an intrusion. The premise is that a carefully designed and configured CIDS can increase the accuracy of detection compared to individual detectors, without a substantial degradation in performance. In order to validate the premise, we present the design and implementation of a CIDS which employs Snort, Libsafe, and a new kernel level IDS called Sysmon. The manager has a graph-based and a Bayesian network based aggregation method for combining the alarms to finally come up with a decision about the intrusion. The system is evaluated using a Web-based electronic store front application and under three different classes of attacks - buffer overflow, flooding and script-based attacks. The results show performance degradations compared to no detection of 3.9% and 6.3% under normal workload and a buffer overflow attack respectively. The experiments to evaluate the accuracy of the system show that the normal workload generates false alarms for Snort and the elementary detectors produce missed alarms. CIDS does not flag the false alarm and reduces the incidence of missed alarms to 1 of the 7 cases. CIDS can also be used to measure the propagation time of an intrusion which is useful in choosing an appropriate response strategy.

Original languageEnglish
Title of host publicationProceedings - 19th Annual Computer Security Applications Conference, ACSAC 2003
PublisherIEEE Computer Society
Pages234-244
Number of pages11
ISBN (Electronic)0769520413
DOIs
StatePublished - 1 Jan 2003
Event19th Annual Computer Security Applications Conference, ACSAC 2003 - Las Vegas, United States
Duration: 8 Dec 200312 Dec 2003

Publication series

NameProceedings - Annual Computer Security Applications Conference, ACSAC
Volume2003-January
ISSN (Print)1063-9527

Conference

Conference19th Annual Computer Security Applications Conference, ACSAC 2003
CountryUnited States
CityLas Vegas
Period8/12/0312/12/03

Keywords

  • Bayesian network based detection
  • Event correlation
  • False alarms
  • Intrusion detection
  • Missed alarms

Fingerprint Dive into the research topics of 'Collaborative intrusion detection system (CIDS): A framework for accurate and efficient IDS'. Together they form a unique fingerprint.

Cite this