trust management for host- based collaborative intrusion ... · carol 1.0 lynne 0.9 paul 0.7 carol...
TRANSCRIPT
Trust Management for Host-
based Collaborative
Intrusion Detection
Carol Fung, Olga Baysal, Jie Zhang, Issam Aib and Raouf Boutaba
David R. Cheriton School of Computer Science
University of Waterloo
Carol Fung 2
Outline
• Introduction
• Motivation
• Trust Model
• Robustness
• Attacks Prevention
• Conclusions
Carol Fung 3
Introduction
• The worldwide impact of malicious intrusions is
estimated to be over $10 Billion annually
• Intrusions include viruses/worms, spyware,
spam, DoS, unauthorized login.
• Traditional isolated IDSes are inefficient in
detection unknown intrusions.
Carol Fung 4
Benefits of IDS Collaboration
• Accurate alert ranking
• Effective intrusion detection and
prevention
• Worm spreading warning
Carol Fung 5
Related Work
• Current collaborative architectures have strong assumptions on the trustworthiness (all IDSes are trusted and faithfully report intrusion events) [1,2,3,4]
• Used trust models are naïve [5, 6]
• Many efficient trust management models in other areas such as e-market and P2P networks [7,8,9]
Carol Fung 6
Contribution
1. Build a trust management model for IDS
collaboration
2. Propose a framework for efficient
collaboration of IDSes
Carol Fung 7
Scenario
Waterloo alliance
Kitchener alliance
Alice
Carol
Lynne
Paul
Intrusion
Carol Fung 8
FrameworkThree components:
• Joining the network
• Trust establishment
• Consultation
Bob
Alice
Paul
KenCarol
JuliaRequest to Join
Accept + acquaintance list
Bob
CA
RegisterPublic key
+ Private key
Verification
Carol Fung 9
FrameworkThree components:
• Join the network
• Trust establishment
• Test phase
• Consultation
Alice
Paul
Ken
Carol
Julia
Bob
What is the risk of
this alert?
<Alert description >
(Answer: High)
high
high
high
high
Low
Ken is
not
reliable
test1
test1
test1
test1
test1
0.1
0.9
0.9
1.0
0.7
Carol Fung 10
FrameworkThree components:
• Join the network
• Trust establishment
• Consultation
Alice
Paul
Ken
Carol
Julia
Bob
What is the risk of
this alert?
<Alert description…>
(Real Case)
high
Low
Low
Low
Low
Should
be low
risk
1.0
0.1
0.9
0.90.7
Request
Request
Request
Request
Request
Carol Fung 11
Trust EstablishmentTrust level is built on history
• Satisfactory level of past
feedbacks
• Helpfulness
333
2332
2
λλ
λλ
++
++=TrustLevel
FeedbackExpected
Answer
Satisfaction
Level
High High 3
Medium High 1
Low High 0
Paul’s History
Feedback1:
2
Feedback2:
3
Feedback3:
3
333
233
++
++=TrustLevel
Naive!
Carol Fung 12
Integration of Don’t KnowsReply “don’t know” is allowed
• Trust value will approach to the level of stranger
Fully trustable
Not trustable
Stranger
)1(11
mstranger
mwofinal
xTxTT +−=
Percentage of don’t knows100%
0.5
0.4
20%
Carol Fung 13
Feedback Aggregation
Depends on:
• Peers’ trust values
• Trust weight
• Peer’s location
• Proximity weight
Carol Fung 14
Feedback Aggregation
• Weighted average
• Threshold
Name Trust Proximity Ranking
Alice 1 1 (Waterloo) High(3)
Carol 0.9 1 (Waterloo) High(3)
Julia 0.9 0.9 (Toronto) High(3)
Ken 0.1 0.7 (US) Low(1)
Paul 0.7 0.7 (US) Medium(2)
85.2
7.07.09.09.019.011
7.07.029.09.0319.03113
=
⋅+⋅+⋅+⋅
⋅⋅+⋅⋅+⋅⋅+⋅⋅=ngfinalRanki
High Risk!
Carol Fung 15
Threat Model
• Sybil Attack
• New Comer Attack
• Identity Cloning Attack
• Betrayal Attack
• Collusion Attack
Carol Fung 16
Sybil Attack
Dummy
Dummy
Dummy
Dummy
One IP
address
per ID!
Carol Fung 17
New Comer Attack
New comer (0.2)
Considered
Considered
Considered
Considered
Considered
Considered
Ignored
Carol Fung 18
Identity Cloning AttackI am Alice
Trusted
Trusted
TrustedTrusted
Trusted
Trusted
(Sessionkey+Signature)BobPubKey
This session key is not from Alice
Carol Fung 19
Betrayal AttackTrustedMalicious
Alice 1.0
Carol 1.0
Lynne 0.9
Paul 0.7
Carol 1.0
Lynne 0.9
Paul 0.7
Alice 0.3
Trust is easy to lose and hard to gain
Carol Fung 20
Collusion AttackTrusted Trusted
Trusted
Trusted
Trusted
Trusted
Trusted
Inconsistent
alert ranking!
Request for
alert ranking
Test message!
Malicious
peers are
uncovered!
Carol Fung 21
What’s Next?
• Simulation design and implementation
• Design more sophisticated trust
management model
• Alert categorization
• Expertise in intrusion detection
Carol Fung 22
Conclusion
• Proposed a trust-based IDS collaboration model
• More accurate intrusion detection
• Robust to several attacks
• Novel ideas
• Use of test messages in trust establishment
• Integration of “don’t knows” into trust value
• Introduction of proximity
• Aggregation threshold