Abstract
This chapter describes a distributed architecture for collaborative detection of cyber attacks and network intrusions based on distributed hash tables (DHTs). We present a high-level description of the distributed architecture for collaborative attack detection. In particular, we highlight the two main functional blocks: the collaboration layer, realized through a DHT, and the engine for complex event processing. We then describe the implementation of a working prototype of the proposed architecture that represents one of the Semantic Rooms of the CoMiFin project. Our reference implementation is implemented through well-known open source software. In particular, the DHT leverages Scribe and PAST, while we use Esper as the CEP engine. We demonstrate how the proposed implementation can be used to realize a collaborative architecture for the early detection of real-world attacks carried out against financial institutions. We focus on the detection of Man-in-the-Middle attacks to demonstrate the effectiveness of our proposal. Finally, we highlight the main advantages of the proposed architecture with respect to traditional (centralized and hierarchical) solutions for intrusion detection. In particular, we address the issues of fault tolerance, scalability, and load balancing.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Esper: Event Processing for Java. Available online at http://www.espertech.com/products/esper.php
Colajanni, M., Gozzi, D., Marchetti, M.: Collaborative architecture for malware detection and analysis. In: Proc. of the 23rd International Information Security Conference (SEC 2008), Milan, Italy, Sep. 2008
Rowstron, A., Druschel, P.: Pastry: Scalable, distributed object location and routing for large-scale peer-to-peer systems. In: Proc. of the IFIP/ACM International Conference on Distributed Systems Platforms (Middleware), Heidelberg, Germany, Nov. 2001
Druschel, P., Rowstron, A.: PAST: A large-scale, persistent peer-to-peer storage utility. In: 8th Workshop on Hot Topics in Operating Systems (HotOS VIII), Schoss Elmau, Germany, May 2001
Rowstron, A., Druschel, P.: Storage management and caching in PAST, a large-scale, persistent peer-to-peer storage utility. In: Proc. of the 18th ACM Symposium on Operating Systems Principles (SOSP’01), Chateau Lake Louise, Banff, Canada, May 2001
Rowstron, A., Kermarrec, A.M., Castro, M., Druschel, P.: SCRIBE: The design of a large-scale event notification infrastructure. In: Proc. of the 3rd International Workshop on Networked Group Communication (NGC2001), UCL, London, UK, Nov. 2001
Castro, M., Jones, M.B., Kermarrec, A.M., Rowstron, A., Theimer, M., Wang, H., Wolman, A.: An evaluation of scalable application-level multicast built using peer-to-peer overlays. In: Proc. of the Infocom’03, San Francisco, CA, USA, Apr. 2003
FreePastry library. Available online at http://www.freepastry.org/FreePastry/
Snapp, S.R., Brentano, J., Dias, G.V., Goan, T.L., Grance, T., Heberlein, L.T., Ho, C.-L., Levitt, K.N., Mukherjee, B., Mansur, D.L., Pon, K.L., Smaha, S.E.: A system for distributed intrusion detection. In: Compcon Spring ’91. Digest of Papers from the IEEE Computer Society Thirty-sixth International Conference, San Francisco, CA, USA, Feb. 1991
Snapp, S.R., Brentano, J., Dias, G.V., Gihan, V., Goan, T.L., Terrance, L., Heberlein, L.T., Ho, C.-L., Levitt, K.N., Mukherjee, B., Smaha, S.E., Grance, T., Teal, D.M., Mansur, D.: DIDS (distributed intrusion detection system)—motivation, architecture, and an early prototype. In: Internet besieged: countering cyberspace scofflaws, pp. 211–227. ACM Press/Addison-Wesley, New York (1998). ISBN:0-201-30820-7
Kemmerer, R.A.: NSTAT: a model-based real-time network intrusion detection system. Tech. report, University of California at Santa Barbara, Santa Barbara, CA, USA (1998)
Ilgun, K., Kemmerer, R.A., Porras, P.A.: State transition analysis: a rule-based intrusion detection approach. In: IEEE Transactions on Software Engineering, IEEE Press, Piscataway (1995)
Bass, T.: Multisensor data fusion for next generation distributed intrusion detection systems. In: Proc. of the 1999 DoD-IRIS National Symposium on Sensor and Data Fusion (NSSDF), Laurel, MD, USA, May 1999
Bass, T.: Intrusion detection systems and multisensor data fusion. Communication of the ACM 43(4) (2000)
Zhang, Y.-F., Xiong, Z.-Y., Wang, X.-Q.: Distributed intrusion detection based on clustering. In: Proc. of the 2005 International Conference on Machine Learning and Cybernetics, Guangzhou, China, Apr. 2005
Wu, Y.-S., Foo, B., Mei, Y., Bagchi, S.: Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS. In: Proc. of the 19th Annual Computer Security Applications Conference, Las Vegas, NV, USA, Dec. 2003
Wang, Y., Yang, H., Wang, X., Zhang, R.: Distributed intrusion detection system based on data fusion method. In: Proc. of the Fifth World Congress on Intelligent Control and Automation (WCICA 2004), Hangzhou, China, Jun. 2004
Sourcefire®, Sourcefire Defense Center™. http://www.sourcefire.com/products/3D/defense_center
Top Layer Security®, SecureCommand™IPS Centralized Management Solution. http://www.toplayer.com/content/products/intrusion_detection/index.jsp
Datamation®, Dragon IDS/IPS: Distributed IDS/IPS Platform with Multiple Detection Methods. http://products.datamation.com/security/id/1192208840.html
Qbik®, NetPatrol. http://www.wingate.com/products/netpatrol/features.php?fid=68
Prelude IDS technologies, Prelude IDS homepage. http://www.prelude-ids.org/
Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS—a graph-based intrusion detection system for large networks. In: Proc. of the 19th National Information Systems Security Conference, Baltimore, MD, USA, Oct. (1996)
Ragsdale, D., Carver, C., Humphries, J., Pooch, U.: Adaptation techniques for intrusion detection and intrusion response systems. In: Proc. of the IEEE International Conference on Systems, Man, and Cybernetics (SMC 2000), Nashville, TN, USA, Oct. 2000
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Proc. of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), Davis, CA, USA, Oct. 2001
Zhang, Z., Li, J., Manikopulos, C.N., Jorgenson, J., Ucles, J.: A hierarchical anomaly network intrusion detection system using neural network classification. In: Proc. of 2001 WSES Conference on Neural Networks and Applications (NNA ’01), Tenerife, Canary Islands, Feb. 2001
Zhang, Z., Li, J., Manikopulos, C.N., Jorgenson, J., Ucles, J.: HIDE: a hierarchical network intrusion detection system using statistical preprocessing and neural network classification. In: Proc. of the 2001 IEEE Workshop on Information Assurance and Security, West Point, NY, USA, Jun. 2001
Balasubramaniyan, J.S., Garcia-Fernandez, J.O., Isacoff, D., Spafford, E.H., Zamboni, D.: An architecture for intrusion detection using autonomous agents. In: Proc. of the 14th Annual Computer Security Applications Conference (ACSAC 1998). Scottsdale, AZ, USA, Dec. 1998
Eugster, P.T., Felber, P.A., Guerraoui, R., Kermarrec, A.: The many faces of publish/subscribe. ACM Comput. Surv. 35(2) (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Esteves Verssimo, P., Angori, E., Colajanni, M., Marchetti, M., Messori, M. (2012). Collaborative Attack Detection Using Distributed Hash Tables. In: Baldoni, R., Chockler, G. (eds) Collaborative Financial Infrastructure Protection. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-20420-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-20420-3_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-20419-7
Online ISBN: 978-3-642-20420-3
eBook Packages: Computer ScienceComputer Science (R0)