This Article 
 Bibliographic References 
 Add to: 
Securing Collaborative Intrusion Detection Systems
November/December 2011 (vol. 9 no. 6)
pp. 36-42
Steven Cheung, SRI International
One threat to collaborative intrusion detection systems (CIDSs) is statistic-poisoning attacks. In these attacks, adversaries inject incorrect security sensor reports to the system's repository to corrupt the published attack statistics. A novel, robust approach to computing attack statistics published by CIDSs can help counter this threat. This approach is based on contributor-level aggregation and preferential voting. In experiments, this approach effectively detected large-scale attacks and was more resistant to attacks than the basic approach.

1. V. Yegneswaran, P. Barford, and J. Ullrich, "Internet Intrusions: Global Characteristics and Prevalence," Proc. 2003 ACM SIGMETRICS Int'l Conf. Measurement and Modeling of Computer Systems, ACM Press, 2003, pp. 138–147.
2. J. Bethencourt, J. Franklin, and M. Vernon, "Mapping Internet Sensors with Probe Response Attacks," Proc. 14th Usenix Security Symp., Usenix, 2005, pp. 193–208.
3. I.D. Hill, B.A. Wichmann, and D.R. Woodall, "Algorithm 123: Single Transferable Vote by Meek's Method," The Computer J., vol. 30, no. 2, 1987, pp. 277–281.
4. J. Zhang, P. Porras, and J. Ullrich, "Highly Predictive Blacklisting," Proc. 17th Usenix Security Symp., Usenix, 2008, pp. 107–122.
1. D. Atkins and R. Austein, "Threat Analysis of the Domain Name System (DNS)," IETF RFC 3833, Aug. 2004;
2. S. Cheung, "Denial of Service against the Domain Name System," IEEE Security & Privacy, vol. 4, no. 1, 2006, pp. 40–45.
1. S. Staniford, V. Paxson, and N. Weaver, "How to 0wn the Internet in Your Spare Time," Proc. 11th Usenix Security Symp., Usenix, 2002, pp. 149–167.
2. P. Lincoln, P. Porras, and V. Shmatikov, "Privacy-Preserving Sharing and Correlation of Security Alerts," Proc. 13th Usenix Security Symp., Usenix, 2004; lincoln/lincoln_htmlidsanon.html .
3. J. Bethencourt, J. Franklin, and M. Vernon, "Mapping Internet Sensors with Probe Response Attacks," Proc. 14th Usenix Security Symp., Usenix, 2005, pp. 193–208.
4. Y. Shinoda, K. Ikai, and M. Itoh, "Vulnerabilities of Passive Internet Threat Monitors," Proc. 14th Usenix Security Symp., Usenix, 2005, pp. 209–224.
5. V. Shmatikov and M.-H. Wang, "Security against Probe-Response Attacks in Collaborative Intrusion Detection," Proc. ACM SIGCOMM 2007 Workshop Large-Scale Attack Defense (LSAD 07), ACM Press, 2007, pp. 129–136.
6. D. Xu and P. Ning, "Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach," Proc. 21st Ann. Computer Security Applications Conf. (ACSAC 05), IEEE CS Press, 2005, pp. 489–498.
7. D. Xu and P. Ning, "A Flexible Approach to Intrusion Alert Anonymization and Correlation," Proc. 2nd Int'l Conf. Security and Privacy in Comm. Networks (SecureComm 06), IEEE Press, 2006, pp. 1–10.

Index Terms:
intrusion detection, alert correlation, attack tolerance, preferential voting, network security, computer security, cybersecurity,collaborative intrusion detection systems
Steven Cheung, "Securing Collaborative Intrusion Detection Systems," IEEE Security & Privacy, vol. 9, no. 6, pp. 36-42, Nov.-Dec. 2011, doi:10.1109/MSP.2011.97
Usage of this product signifies your acceptance of the Terms of Use.