Abstract
The complexity of modern network architectures and the epidemic diffusion of malware require collaborative approaches for defense. We present a novel distributed system where each component collaborates to the intrusion and malware detection and to the dissemination of the local analyses. The proposed architecture is based on a decentralized, peer-to-peer and sensor-agnostic design that addresses dependability and load unbalance issues affecting existing systems based on centralized and hierarchical schemes. Load balancing properties, ability to tolerate churn, self-organization capabilities and scalability are demonstrated through a prototype integrating different open source defensive software.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Colajanni, M., Gozzi, D., Marchetti, M.: Collaborative architecture for malware detection and analysis. In: Proc. of the 23rd International Information Security Conference, Milano, Italy (September 2008)
Druschel, P., Rowstron, A.: Past: A large-scale, persistent peer-to-peer storage utility. In: 8th Workshop on Hot Topics in Operating Systems, Schoss Elmau,Germany (May 2001)
Malan, D.J., Smith, M.D.: Host-based detection of worms through peer-to-peer cooperation. In: Proc. of the 2005 ACM Workshop on Rapid Malcode, Fairfax, VA, USA (November 2005)
Dumitrescu, C.L.: Intctd: A peer-to-peer approach for intrusion detection. In: Proc. of the 6th IEEE International Symposium on Cluster Computing and the Grid, SMU Campus, Singapore (May 2006)
Zhou, C.V., Karunasekera, S., Leckie, C.: A peer-to-peer collaborative intrusion detection system. In: Proc. of the 13th IEEE International Conference on Networks, Kuala Lumpur, Malaysia (November 2005)
Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the domino overlay system. In: Proc. of the ISOC Symposium on Network and Distributed Systems Security (February 2004)
Janakiraman, R., Waldvogel, M., Zhang, Q.: Indra: A peer-to-peer approach to network intrusion detection and prevention. In: Proc. of the 12th IEEE International Workshops on Enabling Technologies, Linz, Austria (June 2003)
Stoica, I., Morris, R., Karger, D., Kaashoek, F., Balakrishnan, H.: Chord: A scalable peer-to-peer lookup service for internet application. In: Proc. of the ACM SIGCOMM 2001, San Diego, CA, USA (August 2001)
Locasto, M.E., Parekh, J.J., Keromytis, A.D., Stolfo, S.J.: Towards collaborative security and p2p intrusion detection. In: Proc. of the IEEE Information Assurance Workshop, Maryland, USA (June 2005)
Rowstron, A., Kermarrec, A., Castro, M., Druschel, P.: Scribe: The design of a large-scale event notification infrastructure. In: Proc. of the 3rd International Workshop on Networked Group Communication, UCL, London, UK (November 2001)
Snort Homepage: Snort - the de facto standard for intrusion detection/prevention, http://www.snort.org
Nepenthes Homepage: Nepenthes - finest collection, http://nepenthes.mwcollect.org
Prelude IDS Homepage: Prelude, http://www.prelude-ids.com/en/welcome/index.html
IETF Intrusion Detection Working Group: Idmef standard described in rfc4765, http://www.ietf.org/rfc/rfc4765.txt
MySQLAB: Mysql, http://www.mysql.com
Rowstron, A., Druschel, P.: Pastry: Scalable, decentralized object location, and routing for large-scale peer-to-peer systems. In: Guerraoui, R. (ed.) Middleware 2001. LNCS, vol. 2218, p. 329. Springer, Heidelberg (2001)
Castro, M., Druschel, P., Kermarrec, A.M., Rowstron, A.: One ring to rule them all: Service discovery and binding in structured peer-to-peer overlay networks. In: Proc. of the 10th SIGOPS European Workshop, Saint-milion, France (September 2002)
Castro, M., Druschel, P., Hu, Y.C., Rowstron, A.: Exploiting network proximity in distributed hash tables. In: Proc. of the International Workshop on Future Directions in Distributed Computing, Bertinoro, Italy (June 2002)
Castro, M., Druschel, P., Ganesh, A., Rowstron, A., Wallach, D.S.: Security for structured peer-to-peer overlay networks. In: Proc. of the 5th Symposium on Operating Systems Design and Implementaion, Boston, MA, USA (December 2002)
Mahajan, R., Castro, M., Rowstron, A.: Controlling the cost of reliability in peer-to-peer overlays. In: Proc. of the 2nd International Workshop on Peer-To-Peer Systems, Berkeley, CA, USA (February 2003)
Rowstron, A., Druschel, P.: Storage management and caching in past, a large-scale, persistent peer-to-peer storage utility. In: Proc. of the 18th ACM Symposium on Operating Systems Principles, Chateau Lake Louise, Banff, Canadav (May 2001)
Castro, M., Jones, M.B., Kermarrec, A., Rowstron, A., Theimer, M., Wang, H., Wolman, A.: An evaluation of scalable application-level multicast built using peer-to-peer overlays. In: Proc. of the Infocom 2003, San Francisco, CA, USA (April 2003)
W3C: Extensible markup language (xml), http://www.w3.org/XML/
Sun: The java database connectivity (jdbc), http://java.sun.com/javase/technologies/database/index.jsp
Norman SandBox Homepage: Norman sandbox information center, http://sandbox.norman.com
CWSandbox Homepage: Cwsandbox, behavior-based malware analysis remote sandbox service, http://www.cwsandbox.org
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Marchetti, M., Messori, M., Colajanni, M. (2009). Peer-to-Peer Architecture for Collaborative Intrusion and Malware Detection on a Large Scale. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds) Information Security. ISC 2009. Lecture Notes in Computer Science, vol 5735. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04474-8_37
Download citation
DOI: https://doi.org/10.1007/978-3-642-04474-8_37
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04473-1
Online ISBN: 978-3-642-04474-8
eBook Packages: Computer ScienceComputer Science (R0)