TY - GEN
T1 - Collaborative distributed intrusion detection system
AU - Lin, Wei
AU - Xiang, Liu
AU - Pao, Derek
AU - Liu, Bin
PY - 2008
Y1 - 2008
N2 - In order to protect Internet users from various attacks such as worms, viruses and other intrusions, signature-based intrusion detection system (IDS) should be deployed at the critical part of the network with rapid response for updating newly emerged attack signatures and containing the spread of worms or viruses at their early stage. The processing speed of one IDS cannot achieve the throughput requirement in the core networks because of the pattern matching, the key operation for signature-based IDS, is complex and time consuming. In this paper, it argues that if the signature set is shared by multiple IDSs, a packet needs to be checked once and once only by one of the IDSs, so traffic load can be redistributed among the IDSs to avoid local congestion. Packet marking is used to indicate the status of this packet utilized by collaborative IDSs, and a redistribution strategy named inner logical ring (ILR) is built among IDSs to redistribute the traffic load. Meanwhile, caching scheme is used to keep sequence for packets belonging to the same flow. This collaborative distributed IDS is robust with rapid response to various attacks, and the detection throughput is significantly increased from the throughput of the weakest IDS to the summation of all the collaborative IDSs. © 2008 IEEE.
AB - In order to protect Internet users from various attacks such as worms, viruses and other intrusions, signature-based intrusion detection system (IDS) should be deployed at the critical part of the network with rapid response for updating newly emerged attack signatures and containing the spread of worms or viruses at their early stage. The processing speed of one IDS cannot achieve the throughput requirement in the core networks because of the pattern matching, the key operation for signature-based IDS, is complex and time consuming. In this paper, it argues that if the signature set is shared by multiple IDSs, a packet needs to be checked once and once only by one of the IDSs, so traffic load can be redistributed among the IDSs to avoid local congestion. Packet marking is used to indicate the status of this packet utilized by collaborative IDSs, and a redistribution strategy named inner logical ring (ILR) is built among IDSs to redistribute the traffic load. Meanwhile, caching scheme is used to keep sequence for packets belonging to the same flow. This collaborative distributed IDS is robust with rapid response to various attacks, and the detection throughput is significantly increased from the throughput of the weakest IDS to the summation of all the collaborative IDSs. © 2008 IEEE.
UR - https://www.scopus.com/pages/publications/62349091383
UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-62349091383&origin=recordpage
U2 - 10.1109/FGCN.2008.67
DO - 10.1109/FGCN.2008.67
M3 - RGC 32 - Refereed conference paper (with host publication)
SN - 9780769534312
VL - 1
SP - 172
EP - 177
BT - Proceedings of the 2008 2nd International Conference on Future Generation Communication and Networking, FGCN 2008
T2 - 2008 2nd International Conference on Future Generation Communication and Networking, FGCN 2008
Y2 - 13 December 2008 through 15 December 2008
ER -