Trust Management for Host-

based Collaborative

Intrusion Detection

Carol Fung, Olga Baysal, Jie Zhang, Issam Aib and Raouf Boutaba

David R. Cheriton School of Computer Science

University of Waterloo

Carol Fung 2

Outline

• Introduction

• Motivation

• Trust Model

• Robustness

• Attacks Prevention

• Conclusions

Carol Fung 3

Introduction

• The worldwide impact of malicious intrusions is

estimated to be over $10 Billion annually

• Intrusions include viruses/worms, spyware,

spam, DoS, unauthorized login.

• Traditional isolated IDSes are inefficient in

detection unknown intrusions.

Carol Fung 4

Benefits of IDS Collaboration

• Accurate alert ranking

• Effective intrusion detection and

prevention

• Worm spreading warning

Carol Fung 5

Related Work

• Current collaborative architectures have strong assumptions on the trustworthiness (all IDSes are trusted and faithfully report intrusion events) [1,2,3,4]

• Used trust models are naïve [5, 6]

• Many efficient trust management models in other areas such as e-market and P2P networks [7,8,9]

Carol Fung 6

Contribution

1. Build a trust management model for IDS

collaboration

2. Propose a framework for efficient

collaboration of IDSes

Carol Fung 7

Scenario

Waterloo alliance

Kitchener alliance

Alice

Carol

Lynne

Paul

Intrusion

Carol Fung 8

FrameworkThree components:

• Joining the network

• Trust establishment

• Consultation

Bob

Alice

Paul

KenCarol

JuliaRequest to Join

Accept + acquaintance list

Bob

CA

RegisterPublic key

+ Private key

Verification

Carol Fung 9

FrameworkThree components:

• Join the network

• Trust establishment

• Test phase

• Consultation

Alice

Paul

Ken

Carol

Julia

Bob

What is the risk of

this alert?

<Alert description >

(Answer: High)

high

high

high

high

Low

Ken is

not

reliable

test1

test1

test1

test1

test1

0.1

0.9

0.9

1.0

0.7

Carol Fung 10

FrameworkThree components:

• Join the network

• Trust establishment

• Consultation

Alice

Paul

Ken

Carol

Julia

Bob

What is the risk of

this alert?

<Alert description…>

(Real Case)

high

Low

Low

Low

Low

Should

be low

risk

1.0

0.1

0.9

0.90.7

Request

Request

Request

Request

Request

Carol Fung 11

Trust EstablishmentTrust level is built on history

• Satisfactory level of past

feedbacks

• Helpfulness

333

2332

2

λλ

λλ

++

++=TrustLevel

FeedbackExpected

Answer

Satisfaction

Level

High High 3

Medium High 1

Low High 0

Paul’s History

Feedback1:

2

Feedback2:

3

Feedback3:

3

333

233

++

++=TrustLevel

Naive!

Carol Fung 12

Integration of Don’t KnowsReply “don’t know” is allowed

• Trust value will approach to the level of stranger

Fully trustable

Not trustable

Stranger

)1(11

mstranger

mwofinal

xTxTT +−=

Percentage of don’t knows100%

0.5

0.4

20%

Carol Fung 13

Feedback Aggregation

Depends on:

• Peers’ trust values

• Trust weight

• Peer’s location

• Proximity weight

Carol Fung 14

Feedback Aggregation

• Weighted average

• Threshold

Name Trust Proximity Ranking

Alice 1 1 (Waterloo) High(3)

Carol 0.9 1 (Waterloo) High(3)

Julia 0.9 0.9 (Toronto) High(3)

Ken 0.1 0.7 (US) Low(1)

Paul 0.7 0.7 (US) Medium(2)

85.2

7.07.09.09.019.011

7.07.029.09.0319.03113

=

⋅+⋅+⋅+⋅

⋅⋅+⋅⋅+⋅⋅+⋅⋅=ngfinalRanki

High Risk!

Carol Fung 15

Threat Model

• Sybil Attack

• New Comer Attack

• Identity Cloning Attack

• Betrayal Attack

• Collusion Attack

Carol Fung 16

Sybil Attack

Dummy

Dummy

Dummy

Dummy

One IP

address

per ID!

Carol Fung 17

New Comer Attack

New comer (0.2)

Considered

Considered

Considered

Considered

Considered

Considered

Ignored

Carol Fung 18

Identity Cloning AttackI am Alice

Trusted

Trusted

TrustedTrusted

Trusted

Trusted

(Sessionkey+Signature)BobPubKey

This session key is not from Alice

Carol Fung 19

Betrayal AttackTrustedMalicious

Alice 1.0

Carol 1.0

Lynne 0.9

Paul 0.7

Carol 1.0

Lynne 0.9

Paul 0.7

Alice 0.3

Trust is easy to lose and hard to gain

Carol Fung 20

Collusion AttackTrusted Trusted

Trusted

Trusted

Trusted

Trusted

Trusted

Inconsistent

alert ranking!

Request for

alert ranking

Test message!

Malicious

peers are

uncovered!

Carol Fung 21

What’s Next?

• Simulation design and implementation

• Design more sophisticated trust

management model

• Alert categorization

• Expertise in intrusion detection

Carol Fung 22

Conclusion

• Proposed a trust-based IDS collaboration model

• More accurate intrusion detection

• Robust to several attacks

• Novel ideas

• Use of test messages in trust establishment

• Integration of “don’t knows” into trust value

• Introduction of proximity

• Aggregation threshold