REFACING: An autonomic approach to network security based on multidimensional trustworthiness
Introduction
As computer attacks become more and more sophisticated, the need to provide effective intrusion detection methods increases. Current best practices for protecting networks from malicious attacks rely on the deployment of an infrastructure that includes network intrusion detection systems. However, most such practices suffer from several deficiencies, like the inability to detect distributed or coordinated attacks and the high false alarm rates. Indeed, detecting intrusions becomes a hard task in any networked environment, since a network naturally lends itself to a distributed exploitation of its resources. In such a scenario, the identification of a potential attack requires that information is gathered from many different sources and in many different places, since no locality principle (neither spatial nor temporal) can be fruitfully applied in the most general case.
The classical approaches to distributed protection of a network rely on the effective dissemination of probes and classifiers/analyzers across the infrastructure.
We claim that the current solutions to the above mentioned issues lack two fundamental features, namely variability and trustworthiness. Indeed, in our view a network should be capable to self-protect against attacks by means of an autonomic approach which highly depends on the effective exploitation, in each node, of on-line information coming both from local analysis of traffic and from synthetic information delivered by neighboring nodes. Self-organization demands for an un-coordinated capability to appropriately orchestrate the behavior of a number of distributed components. Besides this, the second challenge we identify resides in the need for having an agreed-upon means of deciding whether or not information coming from the outside world can be assumed to be reliable.
In this paper, we discuss the main issues related to improving network security through manipulating and combining data coming from multiple sources. To this regard, we start in Section 2 with an analysis of the state of the art in the field of information fusion with a special focus on distributed intrusion detection. In the same section, we devote particular attention to the Dempster and Shafer’s approach [1], [2], which is quite well-known in the international research community thanks to the so-called theory of evidence. In Section 3, we introduce the basic principles on which lays the autonomic communication paradigm; this is preparatory to the heart of the paper, whose main contribution comes in the subsequent section. More precisely, we discuss in Section 4 a model for a self-management supervising layer exploiting the innovative concept of multidimensional reputation. A thorough performance evaluation of the proposed model is conducted in Section 5. Section 6 proposes a survey of works which have some points in common with our approach, since they exploit the two main features of our solution, namely cooperation and reputation-based information sharing. Conclusions are provided in Section 7.
Section snippets
Detection from multiple sources
As soon as one starts spreading detection components across a network, the issue arises to appropriately orchestrate their operation. In fact, information retrieved from a single sensor is usually limited and sometimes provides for low accuracy. The use of multiple sensors definitely represents a valid alternative to infer additional information about the environment in which the sensors operate [3], [4], [5], [6], [7], [8]. To this aim, many research efforts have so far been conducted with the
Autonomic communications
In the recent years, we have been witnessing many radical changes in thinking computer networks. The on-going convergence of networked infrastructures and services, in fact, has changed the traditional view of the network from the simple wired interconnection of few manually administered homogeneous nodes, to a complex infrastructure encompassing a multitude of different technologies, heterogeneous nodes, and diverse services. This situation has put a challenge for the research community to
REFACING: dynamically renewing network nodes’reputation
The model we propose to assess the reputation of network components taking part to the distributed detection process is called REFACING (RElationship–FAmiliarity–Confidence–INteGrity) and is based on a multi-layered approach, as depicted in Fig. 1.
The lowermost layer provides information about the existence of some form of connection among detection components (probes, detection engines, decision engines, etc.). The absence of connection indicates the actual impossibility of carrying out any
Performance evaluation
In this section, we present a performance evaluation of our solution. We show the improvement achieved by our system with regards to previous solutions. The analysis is conducted through an extensive simulation-driven campaign. We developed a simulator, called RefacingSimulator,1 allowing us to test the performance of the solution adopted in a number of different scenarios.
Related work
In this section, we present a brief survey of existing methodologies and architectures for cooperative network security. All of the mentioned works have some points in common with our approach, since they all exploit in some way the two main features of our solution, namely cooperation and reputation-based information sharing. We also share with the authors of the cited works the idea of defining architectures that are independent of the specific intrusion detection mechanism adopted. By
Conclusions and future work
In this paper, we presented a novel approach to distributed detection of network threats. The core of our contribution resides in having designed a self-management layer exploiting the concept of trustworthiness in order to make the detection process more reliable.
The idea of dynamically tuning the currently estimated level of trust of each peer in the community proves fundamental during the information fusion process, which in our architecture is based on the application of an enhanced version
Acknowledgements
The research leading to these results has received funding from the European Community’s Seventh Framework Programme (FP7/2007-2013) under Grant agreement no. 216585 (INTERSECTION Project). It has also been funded by the Italian “Ministero dell’Istruzione, dell’Università e della Ricerca” (MIUR), in the framework of the COSMIC project.
Francesco Oliviero received his MS in Telecommunications Engineering and Ph.D. in Computer Engineering from Federico II University of Napoli, Italy, in 2004 and 2007, respectively. Currently, he is postdoc at the Department of Computer Engineering and Systems at Federico II University of Napoli. He is member of the COMICS (COMputers for Interaction and CommunicationS) research group led by Prof. Giorgio Ventre. His research interests are in the areas of network security systems and routing
References (20)
- Jean Gordon, E. Edward, H. Shortliffe, Rule-Based Expert Systems, Chapter The Dempster–Shafer Theory of...
A Mathematical Theory of Evidence
(1976)- Nong Ye, Mingning Xu, Information fusion for intrusion detection, in: Third International Conference on Information...
- F. Cuppens, A. Miege, Alert correlation in a cooperative intrusion detection framework, in: Proceedings of the IEEE...
- Julia Allen, Alan Christie, William Fithen, John McHugh, Jed Pickel, Ed Stoner, State of the practice of intrusion...
- James P. Anderson, Computer security threat monitoring and surveillance, Fort Washington, Pennsylvania, April...
- Daniel J. Burroughs, Linda F. Wilson, George V. Cybenko, Analysis of distributed intrusion detection systems using...
- Vincent Berk, Robert Gray, George Bakos, Using sensor networks and data fusion for early detection of active worms, in:...
Intrusion detection systems and multisensor data fusion
(2000)- et al.
Using Dempster–Shafer’s theory of evidence to combine aspects of information use
J. Int. Inf. Syst.
(2002)
Cited by (0)
Francesco Oliviero received his MS in Telecommunications Engineering and Ph.D. in Computer Engineering from Federico II University of Napoli, Italy, in 2004 and 2007, respectively. Currently, he is postdoc at the Department of Computer Engineering and Systems at Federico II University of Napoli. He is member of the COMICS (COMputers for Interaction and CommunicationS) research group led by Prof. Giorgio Ventre. His research interests are in the areas of network security systems and routing protocols for wireless mesh networks. Francesco Oliviero is member of IEEE Computer Society.
Lorenzo Peluso is Ph.D. student in Networking at the Department of Computer Science of the University of Napoli Federico II. He received the M.S. degree in telecommunication engineering from the University of Napoli Federico II in 2001. From 2006 to 2008 he worked at FOKUS Fraunhofer Institute, Berlin, Germany, in the research group on Autonomic Communication technologies (NET). He was also involved in the ANA FP6 European project. His current research interests include the design of new communication paradigms inspired by Autonomic Networking, as well as infrastructures for distributed network monitoring and security.
Simon Pietro Romano received the degree in Computer Engineering from the University of Napoli “Federico II”, Italy, in 1998. He obtained a Ph.D. degree in Computer Networks in 2001. He is currently an Assistant Professor at the Computer Science Department of the University of Napoli. His research interests primarily fall in the field of networking, with special regard to QoS-enabled multimedia applications, network security and autonomic network management. He is currently involved in a number of research projects, whose main objective is the design and implementation of effective solutions for the provisioning of services with quality assurance over Premium IP networks. Simon Pietro Romano is member of both the IEEE Computer Society and the ACM.