Collaborative Intrusion Detection System (CIDS): A Framework for Accurate and Efficient IDS

Yu-Sung Wu, Bingrui Foo, Yongguo Mei, Saurabh Bagchi
Purdue University

In this paper, we present the design and implementation of a Collaborative Intrusion Detection System (CIDS) for accurate and efficient intrusion detection in a distributed system. CIDS employs multiple specialized detectors at the different layers -- network, kernel and application -- and a manager based framework for aggregating the alarms from the different detectors to provide a combined alarm for an intrusion. The premise is that a carefully designed and configured CIDS can reduce the incidence of false alarms and missed alarms compared to individual detectors, without a substantial degradation in performance. In order to validate the premise, we present the design and implementation of a CIDS which employs Snort, a network level IDS, Libsafe, an application level IDS, and a new kernel level IDS called Sysmon. The system has a manager to which the detectors communicate their alarms using a secure message queue. The manager has a graph-based and a Bayesian network based aggregation method for combining the alarms to finally come up with a decision about the intrusion. The system is evaluated using a web-based electronic store front application and under three different classes of attacks -- buffer overflow, flooding and script-based attacks. The experiments are conducted to measure the performance degradation between the baseline system with no detection and CIDS with the three detectors and the manager. The results show degradations of 3.6% and 6.6% under normal workload and a buffer overflow attack respectively. Experiments are then conducted to explore the cases of false alarms and missed alarms with a normal transaction and 7 different attack cases corresponding to the 3 attack classes. The results show that the normal workload generates false alarms for Snort. Also the experiments produce missed alarms for Snort (3 of 7 cases), Libsafe (6 of 7 cases), and Sysmon -- two configurations (3 of 7 and 4 of 7 cases). CIDS does not flag the false alarm and reduces the incidence of missed alarms to 1 of the 7 cases. CIDS can also be used to measure the propagation time of an intrusion which is useful in choosing an appropriate response strategy. Timing measurements are conducted to illustrate the point.

Keywords: intrusion detection, multiple detectors, electronic commerce workload, simulated attacks, false alarms, missed alarms.