A Framework for the Evaluation of Collaborative Intrusion Detection

AutorDennis Grunewald
QuelleBerlin, Germany 

Since in the last decades IT systems have gained in importance for almost every kind of business, the number of threats these systems are facing increased continuously, too. Hence, companies as well as other institutions like governments or universities need to protect their IT infrastructure against illegitimate access. Hence, intrusion detection systems are utilized for early detection of these attacks. Nowadays, these systems are usually realized in a distributed manner, allowing for better detection accuracy and the ability to detect certain types of attacks that single entities cannot detect at all. These systems consist of several nodes distributed within the network and collaborating with each other. Though, the development and evaluation of such systems relies on substantial analyses. These are often based upon the result of network simulations. Since new developments in this area are usually based upon collaborative approaches, a network simulator would be helpful that provides functionality for organizing the different intrusion detection nodes in groups, which allows the user to concentrate on the development of the actual detection approach. Such a simulator does not exist at the moment. The following work proposes a concept for the LSM++ framework that builds upon an existing network simulator and extends it by functionality for organization of the network nodes in collaboration groups on the one hand, and by the ability to handle huge networks quite efficiently on the other hand. The latter is achieved by raising the abstraction level for the majority of the nodes present in the network. The framework is designed in a way that allows for easy exchange of the procedures for group organization or communication scheme.