Carol J. Fung

Dirichlet-Based Trust Management for Effective Collaborative Intrusion Detection Networks

The accuracy of detecting intrusions within a Collaborative Intrusion Detection Network (CIDN) depends on the efficiency of collaboration between peer Intrusion Detection Systems (IDSes) as well as the security itself of the CIDN. In this paper, we propose Dirichlet-based trust management to measure the level of trust among IDSes according to their mutual experience. An acquaintance management algorithm is also proposed to allow each IDS to manage its acquaintances according to their trustworthiness. Our approach achieves strong scalability properties and is robust against common insider threats, resulting in an effective CIDN. We evaluate our approach based on a simulated CIDN, demonstrating its improved robustness, efficiency and scalability for collaborative intrusion detection in comparison with other existing models.

Robust and scalable trust management for collaborative intrusion detection

The accuracy of detecting intrusions within an Intrusion Detection Network (IDN) depends on the efficiency of collaboration between the peer Intrusion Detection Systems (IDSes) as well as the security itself of the IDN against insider threats. In this paper, we study host-based IDNs and introduce a Dirichlet-based model to measure the level of trustworthiness among peer IDSes according to their mutual experience. The model has strong scalability properties and is robust against common insider threats, such as a compromised or malfunctioning peer. We evaluate our system based on a simulated collaborative host-based IDS network. The experimental results demonstrate the improved robustness, efficiency, and scalability of our system in detecting intrusions in comparison with existing models.

Trust Management for Host-Based Collaborative Intrusion Detection

The accuracy of detecting an intrusion within a network of intrusion detection systems (IDSes) depends on the efficiency of collaboration between member IDSes. The security itself within this network is an additional concern that needs to be addressed. In this paper, we present a trust-based framework for secure and effective collaboration within an intrusion detection network (IDN). In particular, we define a trust model that allows each IDS to evaluate the trustworthiness of others based on personal experience. We prove the correctness of our approach in protecting the IDN. Additionally, experimental results demonstrate that our system yields a significant improvement in detecting intrusions. The trust model further improves the robustness of the collaborative system against malicious attacks.

GUIDEX: A Game-Theoretic Incentive-Based Mechanism for Intrusion Detection Networks

Traditional intrusion detection systems (IDSs) work in isolation and can be easily compromised by unknown threats. An intrusion detection network (IDN) is a collaborative IDS network intended to overcome this weakness by allowing IDS peers to share detection knowledge and experience, and hence improve the overall accuracy of intrusion assessment. In this work, we design an IDN system, called GUIDEX, using game-theoretic modeling and trust management for peers to collaborate truthfully and actively. We first describe the system architecture and its individual components, and then establish a game-theoretic framework for the resource management component of GUIDEX. We establish the existence and uniqueness of a Nash equilibrium under which peers can communicate in a reciprocal incentive compatible manner. Based on the duality of the problem, we develop an iterative algorithm that converges geometrically to the equilibrium. Our numerical experiments and discrete event simulation demonstrate the convergence to the Nash equilibrium and the security features of GUIDEX against free riders, dishonest insiders and DoS attacks.

A game-theoretical approach to incentive design in collaborative intrusion detection networks

Traditional intrusion detection systems (IDSs) work in isolation and may be easily compromised by new threats. An intrusion detection network (IDN) is a collaborative IDS network intended to overcome this weakness by allowing IDS peers to share collective knowledge and experience, hence improve the overall accuracy of intrusion assessment. In this work, we design an incentive model based on trust management by using game theory for peers to collaborate truthfully without free-riding in an IDN environment. We show the existence and uniqueness of a Nash equilibrium under which peers can communicate in an incentive compatible manner. Using duality of the problem, we develop an iterative algorithm that converges geometrically to the equilibrium. Our numerical experiments and discrete event simulation demonstrate the convergence to the Nash equilibrium and the incentives of the resource allocation design.

FlowRanger: A request prioritizing algorithm for controller DoS attacks in Software Defined Networks

Software Defined Networking (SDN) introduces a new communication network management paradigm and has gained much attention from academia and industry. However, the centralized nature of SDN is a potential vulnerability to the system since attackers may launch denial of services (DoS) attacks against the controller. Existing solutions limit requests rate to the controller by dropping overflowed requests, but they also drop legitimate requests to the controller. To address this problem, we propose FlowRanger, a buffer prioritizing solution for controllers to handle routing requests based on their likelihood to be attacking requests, which derives the trust values of the requesting sources. Based on their trust values, FlowRanger classifies routing requests into multiple buffer queues with different priorities. Thus, attacking requests are served with a lower priority than regular requests. Our simulation results demonstrates that FlowRanger can significantly enhance the request serving rate of regular users under DoS attacks against the controller. To the best of our knowledge, our work is the first solution to battle against controller DoS attacks on the controller side.

Bayesian decision aggregation in collaborative intrusion detection networks

Cooperation between intrusion detection systems (IDSs) allow collective information and experience from a network of IDSs to be shared for improving the accuracy of detection. A critical component of a collaborative network is the mechanism of feedback aggregation in which each IDS makes an overall security evaluation based on peer opinions and assessments. In this paper, we propose a collaboration framework for intrusion detection networks (CIDNs) and use a Bayesian approach for feedback aggregation by minimizing the combined costs of missed detection and false alarm. The proposed model is highly scalable, robust, and cost effective. Experimental results demonstrate an improvement in the true positive detection rate and a reduction in the average cost of our mechanism compared to existing models.

A survey on security in network functions virtualization

Network functions virtualization (NFV) is an emerging network technology. Instead of deploying hardware equipments for each network functions, virtualized network functions in NFV are realized through virtual machines (VMs) running various software on top of industry standard high volume servers or cloud computing infrastructure. NFV decreases hardware equipment costs and energy consumption, improves operational efficiency and optimizes network configuration. However, potential security issues is a major concern of NFV. In this paper, we survey the challenges and opportunities in NFV security. We describe the NFV architecture design and some potential NFV security issues and challenges. We also present existing NFV security solutions and products. We also survey NFV security use cases and explore promising research directions in this area.

VGuard: A distributed denial of service attack mitigation method using network function virtualization

Distributed denial of service (DDoS) attacks have caused tremendous damage to ISPs and online services. They can be divided into attacks using spoofed IPs and attacks using real IPs (botnet). Among them the attacks from real IPs are much harder to mitigate since the attack traffic can be fabricated to be similar to legitimate traffic. The corresponding DDoS defence strategies proposed in past few years have not been proven to be highly effective due to the limitation of participating devices. However, the emergence of the next generation networking technologies such a network function virtualization (NFV) provide a new opportunity for researchers to design DDoS mitigation solutions. In this paper we propose VGuard, a dynamic traffic engineering solution based on prioritization, which is implemented on a DDoS virtual network function (VNF). The flows from the external zone are directed to different tunnels based on their priority levels. This way trusted legitimate flows are served with guaranteed quality of service, while attack flows and suspicious flows compete for resources with each other. We propose two methods for flow direction: the static method and the dynamic method. We evaluated the performance of both methods through simulation. Our results show that both methods can effectively provide satisfying service to trusted flows under DDoS attacks, and both methods have their pros and cons under different situations.

RecDroid: a resource access permission control portal and recommendation service for smartphone users

The rapid growth of smartphone application market raises security concerns regarding untrusted applications. Studies have shown that most apps in markets request to collect data irrelevant to the main functions of the apps. Traditional permission control design based on one-time decisions on installation has been proven to be not effective to protect user privacy and poorly utilize scarce mobile resources (e.g. battery). In this work, we propose RecDroid, a framework for smartphone users to make permission control in real time and receive recommendations from expert users who use the same apps. This way users can benefit from the expert opinions and make correct permission granting decisions. We describe our vision on realizing our solution on Android and show that our solution is feasible, easy to use, and effective.