Towards scalable and robust distributed intrusion alert fusion with good load balancing

Zhichun Li*, Yan Chen, Aaron Beach

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

54 Scopus citations

Abstract

Traffic anomalies and distributed attacks are commonplace in today's networks. Single point detection is often insufficient to determine the causes, patterns and prevalence of such events. Most existing distributed intrusion detection systems (DIDS) rely on centralized fusion, or distributed fusion with unscalable communication mechanisms. In this paper, we propose to build a DIDS based on the emerging decentralized location and routing infrastructure: distributed hash table (DHT). We embed the intrusion symptoms into the DHT dimensions so that alarms related to the same intrusion (thus with similar symptoms) will be routed to the same sensor fusion center (SFC) while evenly distributing unrelated alarms to different SFCs. This is achieved through careful routing key design based on: 1) analysis of essential characteristics of four common types of intrusions: DoS attacks, port scanning, virus/worm infection and botnets; and 2) distribution and stability analysis of the popular port numbers and those of the popular source IP subnets in scans. We further propose several schemes to distribute the alarms more evenly across the SFCs, and improve the resiliency against the failures or attacks. Evaluation based on one month of DShield firewall logs (600 million scan records) collected from over 2200 worldwide providers show that the resulting system, termed Cyber Disease DHT (CDDHT), can effectively fuse related alarms while distributing unrelated ones evenly among the SFCs. It significantly outperforms the traditional hierarchical approach when facing large amounts of diverse intrusion alerts.

Original languageEnglish (US)
Title of host publicationProceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense, LSAD'06
Pages115-122
Number of pages8
DOIs
StatePublished - 2006
EventACM SIGCOMM 2006 - Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication - Pisa, Italy
Duration: Sep 11 2006Sep 15 2006

Publication series

NameProceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense, LSAD'06
Volume2006

Other

OtherACM SIGCOMM 2006 - Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
CountryItaly
CityPisa
Period9/11/069/15/06

Keywords

  • Alert fusion
  • Distributed hash tables
  • Distributed intrusion detection systems
  • Load balancing
  • Scalability

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture

Fingerprint Dive into the research topics of 'Towards scalable and robust distributed intrusion alert fusion with good load balancing'. Together they form a unique fingerprint.

  • Cite this

    Li, Z., Chen, Y., & Beach, A. (2006). Towards scalable and robust distributed intrusion alert fusion with good load balancing. In Proceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense, LSAD'06 (pp. 115-122). (Proceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense, LSAD'06; Vol. 2006). https://doi.org/10.1145/1162666.1162669