Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS

Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS

We present the design and implementation of a collaborative intrusion detection system (CIDS) for accurate and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the different layers - network, kernel and application - and a manager based framework...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Yu-Sung Wu, Foo, B., Mei, Y., Bagchi, S.
Format: Tagungsbericht
Sprache:eng
Schlagworte:
Aggregates
Application software
Bayesian methods
Buffer overflow
Collaboration
Degradation
Detectors
Distributed computing
Intrusion detection
Kernel
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 244
container_issue
container_start_page 234
container_title
container_volume
creator Yu-Sung Wu
Foo, B.
Mei, Y.
Bagchi, S.
description We present the design and implementation of a collaborative intrusion detection system (CIDS) for accurate and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the different layers - network, kernel and application - and a manager based framework for aggregating the alarms from the different detectors to provide a combined alarm for an intrusion. The premise is that a carefully designed and configured CIDS can increase the accuracy of detection compared to individual detectors, without a substantial degradation in performance. In order to validate the premise, we present the design and implementation of a CIDS which employs Snort, Libsafe, and a new kernel level IDS called Sysmon. The manager has a graph-based and a Bayesian network based aggregation method for combining the alarms to finally come up with a decision about the intrusion. The system is evaluated using a Web-based electronic store front application and under three different classes of attacks - buffer overflow, flooding and script-based attacks. The results show performance degradations compared to no detection of 3.9% and 6.3% under normal workload and a buffer overflow attack respectively. The experiments to evaluate the accuracy of the system show that the normal workload generates false alarms for Snort and the elementary detectors produce missed alarms. CIDS does not flag the false alarm and reduces the incidence of missed alarms to 1 of the 7 cases. CIDS can also be used to measure the propagation time of an intrusion which is useful in choosing an appropriate response strategy.
doi_str_mv 10.1109/CSAC.2003.1254328
format Conference Proceeding
fullrecord <record><control><sourceid>ieee_6IE</sourceid><recordid>TN_cdi_ieee_primary_1254328</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>1254328</ieee_id><sourcerecordid>1254328</sourcerecordid><originalsourceid>FETCH-LOGICAL-i175t-ada1af0412d96d3052d8253d177fbd6565fa48cc11c7b33faa59419d2f1947733</originalsourceid><addsrcrecordid>eNotUEtLAzEYDIig1P0B4iVHPWzNl8dm462sr0LBQ_XkoXybB0T3IdlU6b93xc5l5jAzDEPIJbAlADO3zXbVLDljYglcScHrE1IYXTNdGcWZBHlGimn6YDOkklrAOXlvxq7DdkyY47encchpP8VxoM5nb_Ofmg5T9j29btb325s7ijQk7P3PmD5pGBNFa_dz2lMcHPUhRBv9kOlsviCnAbvJF0dekLfHh9fmudy8PK2b1aaMoFUu0SFgmOdxZyonmOKu5ko40Dq0rlKVCihrawGsboUIiMpIMI4HMFJrIRbk6r83eu93Xyn2mA674wXiF5EcURo</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS</title><source>IEEE Electronic Library (IEL) Conference Proceedings</source><creator>Yu-Sung Wu ; Foo, B. ; Mei, Y. ; Bagchi, S.</creator><creatorcontrib>Yu-Sung Wu ; Foo, B. ; Mei, Y. ; Bagchi, S.</creatorcontrib><description>We present the design and implementation of a collaborative intrusion detection system (CIDS) for accurate and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the different layers - network, kernel and application - and a manager based framework for aggregating the alarms from the different detectors to provide a combined alarm for an intrusion. The premise is that a carefully designed and configured CIDS can increase the accuracy of detection compared to individual detectors, without a substantial degradation in performance. In order to validate the premise, we present the design and implementation of a CIDS which employs Snort, Libsafe, and a new kernel level IDS called Sysmon. The manager has a graph-based and a Bayesian network based aggregation method for combining the alarms to finally come up with a decision about the intrusion. The system is evaluated using a Web-based electronic store front application and under three different classes of attacks - buffer overflow, flooding and script-based attacks. The results show performance degradations compared to no detection of 3.9% and 6.3% under normal workload and a buffer overflow attack respectively. The experiments to evaluate the accuracy of the system show that the normal workload generates false alarms for Snort and the elementary detectors produce missed alarms. CIDS does not flag the false alarm and reduces the incidence of missed alarms to 1 of the 7 cases. CIDS can also be used to measure the propagation time of an intrusion which is useful in choosing an appropriate response strategy.</description><identifier>ISBN: 9780769520414</identifier><identifier>ISBN: 0769520413</identifier><identifier>DOI: 10.1109/CSAC.2003.1254328</identifier><language>eng</language><publisher>IEEE</publisher><subject>Aggregates ; Application software ; Bayesian methods ; Buffer overflow ; Collaboration ; Degradation ; Detectors ; Distributed computing ; Intrusion detection ; Kernel</subject><ispartof>19th Annual Computer Security Applications Conference, 2003. Proceedings, 2003, p.234-244</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/1254328$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,2058,4050,4051,27925,54920</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/1254328$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Yu-Sung Wu</creatorcontrib><creatorcontrib>Foo, B.</creatorcontrib><creatorcontrib>Mei, Y.</creatorcontrib><creatorcontrib>Bagchi, S.</creatorcontrib><title>Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS</title><title>19th Annual Computer Security Applications Conference, 2003. Proceedings</title><addtitle>CSAC</addtitle><description>We present the design and implementation of a collaborative intrusion detection system (CIDS) for accurate and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the different layers - network, kernel and application - and a manager based framework for aggregating the alarms from the different detectors to provide a combined alarm for an intrusion. The premise is that a carefully designed and configured CIDS can increase the accuracy of detection compared to individual detectors, without a substantial degradation in performance. In order to validate the premise, we present the design and implementation of a CIDS which employs Snort, Libsafe, and a new kernel level IDS called Sysmon. The manager has a graph-based and a Bayesian network based aggregation method for combining the alarms to finally come up with a decision about the intrusion. The system is evaluated using a Web-based electronic store front application and under three different classes of attacks - buffer overflow, flooding and script-based attacks. The results show performance degradations compared to no detection of 3.9% and 6.3% under normal workload and a buffer overflow attack respectively. The experiments to evaluate the accuracy of the system show that the normal workload generates false alarms for Snort and the elementary detectors produce missed alarms. CIDS does not flag the false alarm and reduces the incidence of missed alarms to 1 of the 7 cases. CIDS can also be used to measure the propagation time of an intrusion which is useful in choosing an appropriate response strategy.</description><subject>Aggregates</subject><subject>Application software</subject><subject>Bayesian methods</subject><subject>Buffer overflow</subject><subject>Collaboration</subject><subject>Degradation</subject><subject>Detectors</subject><subject>Distributed computing</subject><subject>Intrusion detection</subject><subject>Kernel</subject><isbn>9780769520414</isbn><isbn>0769520413</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2003</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><sourceid>RIE</sourceid><recordid>eNotUEtLAzEYDIig1P0B4iVHPWzNl8dm462sr0LBQ_XkoXybB0T3IdlU6b93xc5l5jAzDEPIJbAlADO3zXbVLDljYglcScHrE1IYXTNdGcWZBHlGimn6YDOkklrAOXlvxq7DdkyY47encchpP8VxoM5nb_Ofmg5T9j29btb325s7ijQk7P3PmD5pGBNFa_dz2lMcHPUhRBv9kOlsviCnAbvJF0dekLfHh9fmudy8PK2b1aaMoFUu0SFgmOdxZyonmOKu5ko40Dq0rlKVCihrawGsboUIiMpIMI4HMFJrIRbk6r83eu93Xyn2mA674wXiF5EcURo</recordid><startdate>2003</startdate><enddate>2003</enddate><creator>Yu-Sung Wu</creator><creator>Foo, B.</creator><creator>Mei, Y.</creator><creator>Bagchi, S.</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>2003</creationdate><title>Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS</title><author>Yu-Sung Wu ; Foo, B. ; Mei, Y. ; Bagchi, S.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i175t-ada1af0412d96d3052d8253d177fbd6565fa48cc11c7b33faa59419d2f1947733</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2003</creationdate><topic>Aggregates</topic><topic>Application software</topic><topic>Bayesian methods</topic><topic>Buffer overflow</topic><topic>Collaboration</topic><topic>Degradation</topic><topic>Detectors</topic><topic>Distributed computing</topic><topic>Intrusion detection</topic><topic>Kernel</topic><toplevel>online_resources</toplevel><creatorcontrib>Yu-Sung Wu</creatorcontrib><creatorcontrib>Foo, B.</creatorcontrib><creatorcontrib>Mei, Y.</creatorcontrib><creatorcontrib>Bagchi, S.</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Yu-Sung Wu</au><au>Foo, B.</au><au>Mei, Y.</au><au>Bagchi, S.</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS</atitle><btitle>19th Annual Computer Security Applications Conference, 2003. Proceedings</btitle><stitle>CSAC</stitle><date>2003</date><risdate>2003</risdate><spage>234</spage><epage>244</epage><pages>234-244</pages><isbn>9780769520414</isbn><isbn>0769520413</isbn><abstract>We present the design and implementation of a collaborative intrusion detection system (CIDS) for accurate and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the different layers - network, kernel and application - and a manager based framework for aggregating the alarms from the different detectors to provide a combined alarm for an intrusion. The premise is that a carefully designed and configured CIDS can increase the accuracy of detection compared to individual detectors, without a substantial degradation in performance. In order to validate the premise, we present the design and implementation of a CIDS which employs Snort, Libsafe, and a new kernel level IDS called Sysmon. The manager has a graph-based and a Bayesian network based aggregation method for combining the alarms to finally come up with a decision about the intrusion. The system is evaluated using a Web-based electronic store front application and under three different classes of attacks - buffer overflow, flooding and script-based attacks. The results show performance degradations compared to no detection of 3.9% and 6.3% under normal workload and a buffer overflow attack respectively. The experiments to evaluate the accuracy of the system show that the normal workload generates false alarms for Snort and the elementary detectors produce missed alarms. CIDS does not flag the false alarm and reduces the incidence of missed alarms to 1 of the 7 cases. CIDS can also be used to measure the propagation time of an intrusion which is useful in choosing an appropriate response strategy.</abstract><pub>IEEE</pub><doi>10.1109/CSAC.2003.1254328</doi><tpages>11</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier ISBN: 9780769520414
ispartof 19th Annual Computer Security Applications Conference, 2003. Proceedings, 2003, p.234-244
issn
language eng
recordid cdi_ieee_primary_1254328
source IEEE Electronic Library (IEL) Conference Proceedings
subjects Aggregates
Application software
Bayesian methods
Buffer overflow
Collaboration
Degradation
Detectors
Distributed computing
Intrusion detection
Kernel
title Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-05T22%3A47%3A42IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_6IE&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Collaborative%20intrusion%20detection%20system%20(CIDS):%20a%20framework%20for%20accurate%20and%20efficient%20IDS&rft.btitle=19th%20Annual%20Computer%20Security%20Applications%20Conference,%202003.%20Proceedings&rft.au=Yu-Sung%20Wu&rft.date=2003&rft.spage=234&rft.epage=244&rft.pages=234-244&rft.isbn=9780769520414&rft.isbn_list=0769520413&rft_id=info:doi/10.1109/CSAC.2003.1254328&rft_dat=%3Cieee_6IE%3E1254328%3C/ieee_6IE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=1254328&rfr_iscdi=true