To search, Click below search items. |
| All Published Papers Search Service |
|
|
|
Title |
Real time distributed detection of network attacks |
|
Author |
Komninos Theodoros, Spirakis Paul, Tsaknakis Haralampos |
| Citation |
Vol. 6 No. 7 pp. 1-10 |
|
Abstract |
In this work, we provide a formal model of open systems under a global attack and of distributed intrusion detection processes. The types of attacks we consider share the characteristic that upon their initiation and while they are in progress, they produce sufficient network traffic (e.g. port scanning) so that local detectors can find sufficient evidence of the attack and report it. We call such attacks bursty. We also postulate properties of local detectors that allow the construction of a fast responding global detector. The global detector works in two levels and it is able to suitably combine local and, possibly, inconclusive information glimpses of a suspected ongoing attack in order to decide whether an attack is actually in progress or not, accompanying this decision by a confidence level value. Our overall scheme reduces the error probability exponentially fast to zero as a function of the number of (concurrent and almost simultaneously obtained in a distributed fashion) local reports with the only requirement that only a small fraction of them reflecting the true attack status (i.e. attack or no attack). We also provide a methodology for implementing consistent local detectors that were validated using experimental traffic data. The theoretical models for intrusion and intrusion detection described in our paper have been implemented in a distributed intrusion detection system that is currently operating in a real network. |
|
Keywords |
Distributed Intrusion Detection, Network Attacks, Alert Correlation, Hypothesis Testing |
|
URL |
