A Survey of Distributed Intrusion Detection Approaches Michael Treaster National Center for Supercomputing Applications (NCSA) University of Illinois Email: [email protected] 5 0 Abstract 0 axes; here we examine data sharing, the nature 2 of the data analysis, and security and trust fea- n Distributed intrustion detection systems detect tures. a attacks on computer systems by analyzing data J aggregated from distributed sources. The dis- 1 tributed nature of the data sources allows pat- Data Sharing ] terns in the data to be seen that might not be R detectable if each of the sources were examined In a distributed IDS system, each agent shares C individually. This paper describes the various its data with other agents in the system. How- . s approaches that have been developed to share ever, there are a wide variety of sharing schemes c [ and analyze data in such systems, and discusses thathavebeendeveloped. Theseschemescan be 1 some issues that must be addressed before fully viewed as a continuum, with centralized data re- v decentralizeddistributedintrusiondetectionsys- portingononesideandcompletely decentralized 1 tems can be made viable. sharing on the other. 0 0 The most extreme centralization is repre- 1 Introduction sented by systems in which a commercial vendor 0 5 collects security information from a wide variety 0 Intrusion detection systems (IDS) have existed of customers, each running the vendor’s agent / s since the 1980’s, ever since the rise of the Inter- software[4,5]. Thevendortypicallyhasmultiple c net made it possible to attack computer systems machineshandlingthedatacollection andanaly- : v from a remote terminal. Although the first such sis load that this widespread deployment incurs. i X systemsoperatedindependentlyoneachmachine When the vendor detects a possible Internet- r on which they were installed, eventually the idea scale attack, customers receive alerts and advice a was proposed of aggregating IDS data from mul- from the professional security experts who man- tiplemachinesinordertolookforpatternsacross age the system. This approach has two primary anetwork. Thiscanimprovethesystem’sability shortcomings. First, the central management to detect attacks that might otherwise be unde- and processing of data represents a single point tectablebecauseeachsinglehostcannotdoesnot of failure or vulnerability. Second, it results in have enough evidence to draw any conclusions. a scalability bottleneck, and, due to the volume Ingeneral, distributedintrusion detection sys- of incoming data, these systems often have slow tems leverage some kind of single-node IDS soft- response time to new threats. ware tomonitor security events andcollect data. The most common distributed IDS approach Therefore,researchtypically focusesmoreonthe is one in which all agents report data to a cen- sharing, aggregation, and processing of this data tral server controlled at a domain or enterprise from a variety of nodes rather than on the ex- level [6, 8, 10, 12, 13]. This is fundamentally act nature of the monitoring itself. Existing ap- the same as in the previous centralization ap- proaches can be categorized along a variety of proach, but on a different scale, and this pos- 1 sesses most of the advantages and disadvantages ments, and since the security relationship be- of these larger-scale systems. These are usu- tween, say, a port scan and a buffer overflow at- ally oriented towards enterprisesecurity, and are tackmaynotbeobvious,howdoesasystemturn generally unsuitable for use among independent event detection into a response? peers on the Internet due to the central control. Expert systems are a common approach [8, Toaddressthescalabilityproblemofacentral- 13], relying on rule sets to process and respond ized system, many techniques use a hierarchical to events. These rules can attempt to define se- structure [7, 9, 15]. Data is passed up a hierar- curity policies, normal behavior, and/or anoma- chy tree and is processed at each level to search lousbehavior,andalertsoractionsaregenerated for intrusions and to reduce the amount of infor- based on how events match against the rules. mation that must be passed higher up the tree. [8] attempts to map actions back to a particular This helps address scalability and allows a sys- human user, such that events can be correlated tem to be deployed across large enterprise-scale with the intentions of an individual. networks, but it limits the kinds of intrusions Many systems [2, 9] use a threshold scheme. that can be detected at the highest levels. This Each security event increases a global alert level. alsohelpsaddressthesinglepointoffailureprob- The amount of the increase can be based on any lem, since if a higher node in the hierarchy fails number of factors, such as the particular event thelowertierscantypically continuetofunction, thatwasobservedanditsrelationtootherevents albeit with reduced detection capabilities. in time or space. When the alert level exceeds Between the hierarchical approach and the a certain threshold, generic increased security fully distributed approach lie projects such as measures are deployed, or an administrator is [11], whichusesahybridhierarchical-distributed alerted. Long periods of time without security approach. Each agent publishes “interests” to events can cause the alert level to decrease. the network, which are distributed through a Augmented goal trees can be used to model hierarchical structure. Agents share data with intrusion possibilities [12]. As more states of the other nodes who are interested, and all analysis goaltreearefulfilled(basedondatafromthedis- occurs locally at the agent level. tributed agents), the system is able to anticipate Instances of completely distributed solu- and counter future stages of the intrusion. An tions are much more rare and are much alternative graph-based approach in which con- less well-developed. Gossiping, multicast, or nections between machines are logged and con- subscription-based data sharing techniques have structedintoagraphofnetworkactivity hasalso been proposed [14], but none of these have yet beenstudied[9]. Thesegraphsarethenanalyzed been implemented in a distributed IDS system. byanexpertsystemtodetectpossibleintrusions. Other systems [17] ignore the topic entirely or pass it off to the underlying peer-to-peer sub- Security and Trust strate. Although these examples are still under development, they represent solutions that can Security and trust are crucial aspects of any dis- be deployed on the Internet at large, indepen- tributedsystem. However, inmostproposeddis- dent of any central authority. tributed IDS systems, however, these issues are given a much lower priority than other design Nature of Data Analysis considerations. They address the possibility of a rogue agent or a denial of service attack on the AlthoughdistributedIDSsystemsareusuallyin- system only in passing. In all cases, a complete dependent of the techniques used to detect indi- solution for trust and security is not provided, vidual security events, the ways in which these but sometimes a concrete solution to a limited security events are used can vary greatly. Since aspect of the problem is presented. most systems work in heterogeneous environ- One issue is that of message authentication, 2 allowing agents to ensure that messages come explored. from who they claim to come from. Several sys- tems [14, 17] use signed messages, relying on a Future Directions central certificate authority to generate the cre- dentials. Thisauthoritydoesnotnecessarilypar- We believe tolerance of misinformation is a key ticipateintherestofthedistributedIDSsystem. area in which to focus, due to the lack of atten- Although this approach validates the source of a tion that it has been given in previous work. In message and ensures that the contents have not existing systems, a rogue agent might easily cor- been tampered with, it cannot protect a legiti- rupt the network by spreading incorrect data. mate agent sending malicious data. Systems must protect themselves against this Smaller-scale, centrally controlled systems type of attack. Centrally managed systems can suchas[6]canrelyuponaloginmechanism,such rely on having complete control over every agent as Kerberos. Agents only acknowledge logged-in in the network to protect themselves. However, systems, providing a measure of trust to the val- agents in a centrally managed system might be idated agents. This solution is only appropriate subverted, and fully decentralized systems can- for systems with a central login authority, how- not rely on this at all. ever. This solution, like the signed message ap- proach, is unable to protect against a legitimate One approach that has been suggested is to agent sending malicious data. build a web of trust between agents in the net- work. As an agent reports information that is The issue of trust can be left to individ- ual agents in the system [15]. Each agent de- verified by others, the reputation of the agents is cides whether or not to trust higher level agents increased and it is trusted more in the future. (“monitors”) in the system hierarchy. The agent However, the system must protect against an agent adopting malicious behavior after building then subscribes to exchange information from up a high level of trust. This approach is closely those monitors it chooses to trust. By aggregat- relatedtoseveraltrust-oriented researchendeav- ing and forwarding the data they receive from ors [1, 3, 16]. However, the details of a such a the lower level agents, the monitors are able to protocol have not yet been carefully specified. distribute data throughout the network. It is not clear how a monitor protects against sub- scription by rogue agents which then feed it mis- References information. Denial of service attacks on agents can be de- [1] A. Abdul-Rahman and S. Hailes. A distributed tected using heartbeat signals [2]. Each agent trustmodel.InProceedingsofthe1997workshop periodically sends a message to inform the rest on New security paradigms, pages 48–60. ACM of the system that it is functioning properly. If Press, 1997. other agents do not receive the heartbeat mes- [2] J. Barrus and N. C. Rowe. A distributed sage on schedule, a denial of service attack is autonomous-agent network-intrusion detection suspected and treated as another security event and response system. In Command and Con- on the network. trol Research and Technology Symposium, pages Beyond these initial approaches to security 577–586,Monterey, CA, June 1998. and trust, there has been little work in this area [3] R.ChenandW.Yeager. Poblano: Adistributed with regard to distributed intrusion detection trust model for peer-to-peer networks. Techni- systems, especially in systems with a centralized cal report, Sun Microsystems,Santa Clara, CA, control component. Most distributed IDS ap- February 2003. proaches ignore this topic entirely, but some list [4] Deepsight website. it among future work. Several projects [14, 17] http://www.securityfocus.com/. suggest the possibility of using a “web of trust” among peers,butthis approach has not yet been [5] Dshield website. http://www.dshield.org/. 3 [6] D. F. et al. A framework for cooperative in- trusion detection. In 21st National Informa- tion Systems Security Conference, pages 361– 373, October 1998. [7] J. S. B. et al. An architecture for intrusion de- tection using autonomous agents. In ACSAC, pages 13–24,1998. [8] S. R. S. et al. DIDS (distributed intrusion de- tection system) - motivation, architecture, and an early prototype. In Proceedings of the 14th National Computer Security Conference, pages 167–176,Washington, DC, 1991. [9] S. S.-C. et al. GrIDS – A graph-basedintrusion detectionsystemfor largenetworks. InProceed- ings of the 19th National Information Systems Security Conference, 1996. [10] V. C. et al. A distributed intrusion detection prototype using security agents. In 11th Work- shop of the HPOVUA, June 2004. [11] R. Gopalakrishna and E. H. Spafford. A frame- workfordistributedintrusiondetectionusingin- terest driven cooperating agents, 2001. [12] M.-Y. Huang, R. J. Jasper, and T. M. Wicks. A large scale distributed intrusion detection framework based on attack strategy analysis. Computer Networks (Amsterdam, Netherlands: 1999), 31(23–24):2465–2475,1999. [13] K. A. Jackson, D. H. DuBois, and C. A. Stallings. An expert system application for net- workintrusiondetection. In14thNationalCom- puterSecurityConference,Washington,DC,Oc- tober 1991. [14] R. Janakiraman, M. Waldvogel, and Q. Zhang. Indra: A peer-to-peer approach to network in- trusiondetectionandprevention. InProceedings of IEEE WETICE 2003, Linz, Austria, June 2003. [15] P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anoma- lous live disturbances. In Proc. 20th NIST- NCSC National Information Systems Security Conference, pages 353–365,1997. [16] B. Sniffen. Trust economies in the free haven project, 2000. [17] V. Vlachos, S. Androutsellis-Theotokis, and D. Spinellis. Security applications of peer-to- peer networks. Comput. Networks, 45(2):195– 205, 2004. 4