Collaborative Intrusion Detection System (CIDS): A Framework for Accurate and Efficient IDS

In this paper, we present the design and implementation ofa Collaborative Intrusion Detection System (CIDS) foraccurate and efficient intrusion detection in a distributedsystem. CIDS employs multiple specialized detectors at thedifferent layers - network, kernel and application - and amanager based framework for aggregating the alarms fromthe different detectors to provide a combined alarm for anintrusion. The premise is that a carefully designed andconfigured CIDS can increase the accuracy of detectioncompared to individual detectors, without a substantialdegradation in performance. In order to validate the premise,we present the design and implementation of a CIDS whichemploys Snort, Libsafe, and a new kernel level IDS calledSysmon. The manager has a graph-based and a Bayesiannetwork based aggregation method for combining the alarmsto finally come up with a decision about the intrusion. Thesystem is evaluated using a web-based electronic store frontapplication and under three different classes of attacks -buffer overflow, flooding and script-based attacks. The resultsshow performance degradations compared to no detection of3.9% and 6.3% under normal workload and a buffer overflowattack respectively. The experiments to evaluate the accuracyof the system show that the normal workload generates falsealarms for Snort and the elementary detectors produce missedalarms. CIDS does not flag the false alarm and reduces theincidence of missed alarms to 1 of the 7 cases. CIDS can alsobe used to measure the propagation time of an intrusion whichis useful in choosing an appropriate response strategy.