Proceedings of the Fourth International Conference on Trends in Electronics and Informatics (ICOEI 2020)

IEEE Xplore Part Number: CFP20J32-ART; ISBN: 978-1-7281-5518-0

Distributed Intrusion Detection System using

Blockchain and Cloud Computing Infrastructure
Dr. Manish Kumar1 Ashish Kumar Singh2
Assistant Professor Research Scholar
Department of Computer Applications Department of Computer Applications
M S Ramaiah Institute of Technology M S Ramaiah Institute of Technology
Bangalore, India Bangalore, India
manishkumarjsr@yahoo.com ashish.msrit10@gmail.com

Abstract— Intrusion Detection System is a well-known updated and used for attack detection. The
term in the domain of Network and Information Security. limitation of this technique is that it will not be
It’s one of the important components of the Network and able to detect a novel attack, as a signature will
Information Security infrastructure. Host Intrusion not be available.
Detection System (HIDS) helps to detect unauthorized use,
abnormal and malicious activities on the host, whereas
Network Intrusion Detection System (NIDS) helps to detect Intrusion Detection Systems are broadly classified into
attacks and intrusion on networks. Various researchers are two categories:
actively working on different approaches to improving the
IDS performance and many improvements have been x Network Intrusion Detection System
achieved. However, development in many other technologies (NIDS):- It captures the packets from
and newly emerging techniques always opens the doors of network traffic. The header of the captured
opportunity to add a sharp edge to IDS and to make it more packets is analyzed based on various
robust and reliable. This paper proposes the development of parameters to detect malicious activities. It
Distributed Intrusion Detection System (DIDS) using can be set up in the network backbone,
emerging and promising technologies like Blockchain upon a server, switches, and gateways.
stable platform like cloud infrastructure.
xHost Intrusion Detection System (HIDS):-
Keywords— Network Intrusion Detection System It is installed on the individual system to
(NIDS), Blockchain, Cloud Computing, Distributed detect the intrusion or misuse. HIDS analyzes
Intrusion Detection System (DIDS), Host Intrusion Detection the key system files, process behaviors,
System (HIDS). unusual resource utilization, unauthorized
access, etc.
I. INTRODUCTION Based on the needs of the organization, the type of
IDS can be decided. For large organizations, NIDS will be
Intrusion Detection System (IDS) is one of the most a cheaper solution. However, it is important to understand
common security systems. It is used for the protection of that both NIDS and HIDS use different techniques and
network infrastructure and computers from malicious one cannot be considered as the substitution for others.
activities and unauthorized usages. It detects the different
types of threats. It helps users and network administrators
to take preventive measures. IDS plays an important role II. DISTRIBUTED INTRUSION DETECTION SYSTEM
in securing IT infrastructure. Intrusion detection systems As discussed in the previous section, NIDS and HIDS
capture and analyze the network traffic to detect suspicious are based on different approaches. To get the overall
activity [3][5][6]. IDS mainly works on two different protection, sometimes we need to use both types of
approaches: systems.
x Anomaly detection: - In this technique, network In a large network, multiple Network Intrusion
traffic or host OS behavior is analyzed based on Detection Systems are deployed across the network.
various parameters and compared with the Theses distributed IDS share the logs and alert
normal behavior. If the system detects any information with each other. Such an arrangement of
deviation from normal behavior, it raises an multiple IDS is called a Distributed Intrusion Detection
alarm. System (DIDS). The type and volume of information
shared among the distributed IDS is configured by the
x Misuse/Signature detection: - This technique administrator and need to be fine-tuned from time to time.
looks for a specific pattern of behavior which is It facilitates advanced persistent threat analysis, network
already known as an attack. All the malicious monitoring, and instant attack analysis of the whole
patterns and behaviors which are identified as network. It helps the administrators to get a broader view
attacks are stored in the IDS signature database. of the network attack [11].
These signature databases are continuously

978-1-7281-5518-0/20/$31.00 ©2020 IEEE 248

Authorized licensed use limited to: Carleton University. Downloaded on August 05,2020 at 15:36:09 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fourth International Conference on Trends in Electronics and Informatics (ICOEI 2020)
IEEE Xplore Part Number: CFP20J32-ART; ISBN: 978-1-7281-5518-0

Network monitoring and IDS alert analysis are some be more devastating. Keeping in view the resource
of the most crucial tasks. Though the security devices and requirements, scalability, and the need for computational
software can provide adequate security one cannot rely on capability, we have proposed a system that is based on
that completely. Attack patterns keep changing frequently. cloud, which can satisfy these requirements on-demand
Attackers always device new and novel techniques to basis. As the DIDS is based on the internetworking of
evade the detection and hence the security devices need to individual IDS, trust, authenticity, and reliability of the
be patched and tuned accordingly. alert received from the individual IDS is a matter of
concern. In some situations, it is possible that the attacker
Threat and alert analysis of the entire network helps has compromised a particular IDS or it is weakly
the administrators to understand the complex attack configured, which can fuzz the server with the wrong alert
patterns. Based on the analysis, a signature or set of rules and misguide the administrator. Keeping given trust,
can be generated. These can be distributed to individual authenticity, and reliability issues, we have proposed the
IDS to protect the segment of the network from a similar use of blockchain technology, which is one of the most
attack in the future [1][4][9]. promising solutions to solve these issues. The next section
briefly describes how blockchain can be used in DIDS,
A. Advantages of DIDS followed by the discussion on the integration of DIDS
With the growing size of network infrastructure, with cloud infrastructure. Blockchain is a new and
scalability and performance is always the major concern emerging technology. A detailed discussion about the
for single-mode IDS. It’s difficult for the single-mode IDS blockchain and cloud technology is beyond the scope of
to detect the attack pattern scattered across different our work and the topic of this paper. Hence only specific
geographical locations of an enterprise network. DIDS has things related to our work have been discussed in this
an advantage over single-mode IDS to collect and paper.
corroborate data among the peer IDS and detect the
stealthy attack pattern. Many times in the case of III. BLOCKCHAIN-BASED INTRUSION DETECTION
Advanced Persistent Attack, it is observed that the attack
may be initiated in some specific region of the network It is observed in recent days that attackers are applying
and then slowly spread to the entire network. In DIDS more complex and advanced techniques to attack the
since all the IDS are connected, any attack detected in a system and avoid detection. It is also possible that if any
specific region or segment of the network can help the segment of the network is misconfigured or compromised
other IDS to learn and update their rule-base. The by the attackers, then it may divert the attention of the
administrator can take preventive measures and protect network administrator. Since multiple IDS are connected
the rest of the network from attack. with the centralized server, the authenticity of the logs and
alerts received from the individual IDS raises a major
Nowadays, attack patterns are becoming more and concern [2].
more complex. With the increased complexity of attacks,
it is possible that the administrator of one network To make the overall system robust and trustworthy,
segment may not take a small incident seriously which blockchain seems to be the most reliable solution. In the
may be a part of a bigger coordinated attack. However, section, we will focus on the challenging issues of DIDS
when the attack pattern of the entire network is analyzed and how blockchain can help to resolve these [8][10][14].
together, it may represent a serious threat.
A. Challenges in Distributed Intrusion Detection
The DIDS system gives the administrators the fastest
and easiest way to identify the attacks coordinated across There are many issues in collaborating the multiple
the multiple network segments. The centralized log IDS and sharing the logs with a centralized system. Trust
analysis of distributed IDS allows the analyst to discover and authenticity are major issues that need to be resolved.
complex attack patterns and take preventive measures Following are the requirements which Distributed
easily. Intrusion Detection System should satisfy:

B. Incident Analysis with DIDS x Integrity: - The integrity of the alert generated by
individual IDS is very important. Logs and alerts
With the growing size of networks, the number of
should be tamper-proof and in no circumstances,
attacks is also increasing. Identifying the intruders and
should they be accessible and modifiable by an
malicious activities at the right time is the most important
and crucial task. One needs to know how the attack attacker or any individual.
initiated, where it initiated, what the attacker did, what the
level of threat was, and how to prevent it. x Consensus: - All the participating IDS should
have a common consensus on the type and
DIDS provides a centralized platform where the threat quality of alert generation.
can be detected instantly no matter in whatever network
segment it occurs. As it gives an advantage to the
x Scalability: - As the network size may grow and
administrator for centralized analysis, it also requires
shrink, the computational demand for the
proper planning and implementation. Since the whole
network infrastructure depends on DIDS, it should have centralized server should also be able to adjust
potential power, flexibility, and strength to detect the accordingly.
threat as quickly as possible. More delay in detection will

978-1-7281-5518-0/20/$31.00 ©2020 IEEE 249

Authorized licensed use limited to: Carleton University. Downloaded on August 05,2020 at 15:36:09 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fourth International Conference on Trends in Electronics and Informatics (ICOEI 2020)
IEEE Xplore Part Number: CFP20J32-ART; ISBN: 978-1-7281-5518-0

x Privacy: - Participating individual IDS should requirements become one of the most important criteria
have rights and control over selective disclose and challenge to be satisfied to build a robust DIDS
and accessibility of alert data. [13][12].
DIDS is vulnerable to attacks from inside of the
network, where the intruder has somehow got the B. Blockchain-Based Solutions
authorized access to the network. Security and reliability Blockchain provides the best promising solution to
of the central server are most crucial. The objective of satisfy the above-mentioned requirements and challenges.
central server deployment in DIDS is to collect the logs The implementation of a secure distributed ledger is
and alerts from individual IDS for centralizing analysis proposed for sharing the logs and alerts generated by the
and easy decision making. The above-mentioned individual IDS.

Fig 1:- DIDS Architecture Using Blockchain and Cloud Infrastructure

Alerts generated by individual IDS are stored as a A cloud-based centralized server provides a promising
transaction in the blockchain. All the individual IDS solution to handle these challenges. Its a cost-effective
connected with the centralized server run a consensus and scalable solution. Based on the need, the capacity of
protocol to validate the transaction before adding it into the cloud based centralize server can be scaled-up and
the blockchain. Such an arrangement guarantees that only down.
validated, authenticated alerts are updated in the
The cloud-based platform not only provides a cost-
centralized server. These alerts are tamper-proof and
effective and scalable system for handling large data size
accessible to all the participating IDS [15][1].
but also supports big data analytical tools. It can be used
to analyze the logs and alerts data collected on centralized
IV. INTEGRATION WITH CLOUD INFRASTRUCTURE sever and help to identify different types of attack patterns
Though DIDS is a promising solution for protecting and threats in real-time [6][7].
the entire network, it poses a lot more challenging issues
like its performance and scalability. When a network is
very big and individual IDS dumps the logs to a
centralized server, it becomes big data. It’s a challenge for V. EXPERIMENTAL RESULTS
the system to analyze the large size of data in real-time. For experimental analysis, we used Amazon Cloud
Huge infrastructure and investment are required to build Services. We configured the nodes on the Amazon EC2
such real-time DIDS. cloud. The master nodes automatically create the
computational slave nodes. The advantage of such

978-1-7281-5518-0/20/$31.00 ©2020 IEEE 250

Authorized licensed use limited to: Carleton University. Downloaded on August 05,2020 at 15:36:09 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fourth International Conference on Trends in Electronics and Informatics (ICOEI 2020)
IEEE Xplore Part Number: CFP20J32-ART; ISBN: 978-1-7281-5518-0

architecture is that the user can any time increase and the master node and slave nodes were configured as
decrease the computational power based on the independent IDS. Since the whole system was deployed
requirements and budget. on the cloud, communication time was reduced. However,
in real-time experiments, communication delay can be a
In our experiment, we tested the performance of the major factor to be analyzed which was out of the scope for
overall system using Auto Scaling. Amazon EC2 Auto this experiment.
Scaling helps to ensure that resources are available on-
demand to handle the load of applications. The user can In our experiment, the analysis of DIDS performance
specify the maximum and the minimum number of is carried out by performing the analysis of logs and alerts
instances in each Auto Scaling Group as per the of varying size between 500MB to 5 GB. The
requirements. Amazon EC2 auto-scaling ensures that computational power was continuously increased with the
resources are optimally utilized between the minimum and increasing size of data as shown in Table 1. The graph in
the maximum number of instances. Fig 3 shows that with the flexible scalability of the system
computing power, the performance of the system was
consistent.

Fig. 3:- Load Vs. Speed-up Performance

VI. CONCLUSION
In this paper, we have presented the architecture of the
Distributed Intrusion Detection System using Cloud
Computing Infrastructure and Blockchain. We have
shown the performance of the DIDS server with a varying
load of data. There are many other issues like
communication delay, the overhead of blockchain, cost of
implementation, etc. which has to be discussed and
Fig 2:- Amazon EC2 Scaling analyzed.

For example, the Auto Scaling group is shown in Fig:- REFERENCES

2 has a maximum size of four instances and minimum size [1] A. A. Titorenko and A. A. Frolov, "Analysis of modern intrusion
of one instance. It has the desired capacity of two detection system," 2018 IEEE Conference of Russian Young
instances. The system adjusts the number of instances Researchers in Electrical and Electronic Engineering (EIConRus),
within the minimum and a maximum number of instances Moscow, 2018, pp. 142-143.
[2] Alexopoulos, Nikolaos & Vasilomanolakis, Emmanouil & Réka
based on the policies and criteria defined. Ivánkó, Natália & Mühlhäuser, Max. (2018). Towards Blockchain-
Based Collaborative Intrusion Detection Systems: 12th
TABLE I. COMPARISON OF EXECUTION TIME AND SPEED-UP International Conference, CRITIS 2017, Lucca, Italy, October 8-
13, 2017.
Number Log/Alert Execution [3] Axelsson, Stefan. Intrusion detection systems: A survey and
of Size Time (sec) taxonomy. Vol. 99. Technical report, 2000.
[4] H. M. Anwer, M. Farouk and A. Abdel-Hamid, "A framework for
Instances efficient network anomaly intrusion detection with features
1 500 MB 50 selection," 2018 9th International Conference on Information and
2 1 GB 56.5 Communication Systems (ICICS), Irbid, 2018, pp. 157-162.
3 2 GB 53.2 [5] H.Debar, M. Dacier, and A. Wespi, “Towards a taxonomy of
Intrusion Detection Systems”, Computer Networks, vol 31, n0. 8,
4 3 GB 54.4
pp. 805-822, 1999.
5 4 GB 51.6 [6] Holtz, Marcelo D. ; Bernardo David ; Sousa Jr., R. T. . Building
6 5 GB 52.6 Scalable Distributed Intrusion Detection Systems Based on the
MapReduce Framework. Telecomunicacoes (Santa Rita do
Sapucai), v. 13, p. 22-31, 2011.
For our experiment, the minimum number of instances [7] J. Dean and S. Ghemawat, MapReduce: Simplified Data
was set to 1 and the maximum number of instances was Processing on Large Cluster, USENIX OSDI,2004.
set to 6. The centralized server process was configured on

978-1-7281-5518-0/20/$31.00 ©2020 IEEE 251

Authorized licensed use limited to: Carleton University. Downloaded on August 05,2020 at 15:36:09 UTC from IEEE Xplore. Restrictions apply.
 Proceedings of the Fourth International Conference on Trends in Electronics and Informatics (ICOEI 2020)
IEEE Xplore Part Number: CFP20J32-ART; ISBN: 978-1-7281-5518-0

[8] J. Yang, C. Shen, Y. Chi, P. Xu and W. Sun, "An extensible

Hadoop framework for monitoring performance metrics and events
of OpenStack cloud," 2018 IEEE 3rd International Conference on
Big Data Analysis (ICBDA), Shanghai, 2018, pp. 222-226.
[9] K. Kato and V. Klyuev, "Development of a network intrusion
detection system using Apache Hadoop and Spark," 2017 IEEE
Conference on Dependable and Secure Computing, Taipei, 2017,
pp. 416-423.
[10] Konstantin Shvachko, Hairong Kuang, Sanjay Radia, and Robert
Chansler, “The Hadoop Distributed File System,” IEEE 26th
Symposium on Mass Storage Systems and Technologies (MSST),
pp.1-10, 2010.
[11] S. Ghribi, A. M. Makhlouf and F. Zarai, "C-DIDS: A Cooperative
and Distributed Intrusion Detection System in Cloud
environment," 2018 14th International Wireless Communications
& Mobile Computing Conference (IWCMC), Limassol, 2018, pp.
267-272.
[12] Suah Kim, Beomjoong Kim, and Hyoung Joong Kim. 2018.
Intrusion Detection and Mitigation System Using Blockchain
Analysis for Bitcoin Exchange. In Proceedings of the 2018
International Conference on Cloud Computing and Internet of
Things (CCIOT 2018). ACM, New York, NY, USA, 40-44.
[13] W. Meng, E. W. Tischhauser, Q. Wang, Y. Wang and J. Han,
"When Intrusion Detection Meets Blockchain Technology: A
Review," in IEEE Access, vol. 6, pp. 10179-10188, 2018.
[14] Yeonhee Lee and Youngseok Lee. 2012. Toward scalable internet
traffic measurement and analysis with Hadoop. SIGCOMM
Comput. Commun. Rev. 43, 1 (January 2012), 5-13.
[15] Zohreh Abtahi Foroushani and Yue Li. 2018. Intrusion Detection
System by Using Hybrid Algorithm of Data Mining Technique.
In Proceedings of the 2018 7th International Conference on
Software and Computer Applications (ICSCA 2018). ACM, New
York, NY, USA, 119-123.

978-1-7281-5518-0/20/$31.00 ©2020 IEEE 252

Authorized licensed use limited to: Carleton University. Downloaded on August 05,2020 at 15:36:09 UTC from IEEE Xplore. Restrictions apply.