Group-based IDS Collaboration Framework: A Case Study of the Artificial Immune System

AutorRainer Bye
QuelleTechnische Universität Berlin 

Self-protection is, as defined by IBM, one of the four pillars of self management in the context of autonomic computing (AC). One aspect of self-protection is the detection of attacks often originating from multiple sources and targeting multiple networked systems. Anomaly-based intrusion detection systems (IDS) such as the artificial immune system (AIS) are considered feasible in an AC environment, but suffer from various problems such as high false alarm rates or missing scalable training and detection algorithms. In the last decade, collaborative intrusion detection systems (CIDS) have emerged as a promising solution to confront IDS-related challenges using the information from multiple sources to gain a better understanding of objective and impact of complex attacks. CIDS benefit from collaborative aspects, namely architectural advantages such as scalability and the benefit of teamwork. However, collaboration needs to be administrated efficiently, and a CIDS raises new exploitation opportunities for adversaries. In this work, we investigate a group-based collaboration framework for IDS using the example of the AIS resulting in a novel architecture: the collaborative AIS (CAIS). We provide a scheme to support the AIS for a (i) realization of scalable training and detection as well as the (ii) improvement of false positive detection rates with the help of collaboration. A distributed AIS approach poses requirements for the collaboration framework. Accordingly, we incorporate an anonymity scheme to confront adversarial opportunities and provide a group formation algorithm to select the best fitting groups of collaborators according to a collaboration policy. We also introduce tools for the evaluation of the overall approach based on analytical models and simulation. The resulting collaboration framework covers the complete life cycle of a distributed anomaly-based intrusion detection system: initialization, organization, detection and response. The CAIS is realized with the help of the developed framework and composed of software agents. These software agents contribute to self-protection in the scope of autonomic computing.