Computer systems continue to be breached despite substantial investments in defense mechanisms to stop attacks from propagating. The accuracy of current intrusion detection systems (IDSes) is hindered by the limited capability of regular expressions (REs) to express the exact vulnerability. Recent advances have proposed vulnerability-based IDSes that parse traffic and retrieve protocol semantics to describe the vulnerability. Such a description of attacks is analogous to subscriptions that specify events of interest in event processing systems. However, the matching engine of state-of-theart IDSes lacks efficient matching algorithms that can process many signatures simultaneously. In this work, we place event processing in the core of the IDS and propose novel algorithms to efficiently match vulnerability signatures. Also, we are among the first to detect complex attacks such as the Conficker worm which requires correlating multiple protocol data units (MPDUs) while maintaining a small memory footprint. Finally, we show that our algorithms are resilient to attacks through extensive testing of the IDS under different workloads. Our approach incurs negligible overhead when processing clean traffic and is faster than existing systems.
Intrusion detection systems help improve the security of networks by providing early warning and response. To improve the detection of attacks, sharing data among distributed nodes or terminals and collaborating on a decision is key. This paper presents a Distributed and Collaborative Intrusion Detection (DaCID) system that relies on Dempster Shafer theory of evidence for fusing data from multiple nodes. In this approach the detection is done collaboratively and the decision is distributed among all nodes. DaCID is more robust than other systems since it is completely distributed and the decision is made autonomously at each node. Simulation results demonstrated that DaCID's performance approaches that of a centralized method.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.