TY - JOUR
T1 - Detection and mitigation of monitor identification attacks in collaborative intrusion detection systems
AU - Vasilomanolakis, E.
AU - Mühlhäuser, M.
PY - 2019
Y1 - 2019
N2 - Collaborative defensive approaches such as collaborative intrusion detection system (CIDS) have emerged as a response to the continuous increase in the sophistication of cyberattacks. Such systems utilize a plethora of heterogeneous monitors to create a holistic picture of the monitored network. A number of research institutes deploy CIDSs that publish their alert data publicly over the Internet. This is important for researchers and security administrators, as such systems provide a source of real‐world alert data for experimentation. However, a class of identification attacks exists, namely probe‐response attacks (PRAs), which can significantly reduce the benefits of a CIDS. In particular, such attacks allow an adversary to detect the network location of the monitors of a CIDS. This article discusses the state of the art, with an emphasis on our previous and ongoing work, with regard to the detection and the mitigation of PRAs. We compare the most promising defensive mechanisms with respect to their effectiveness and the possible negative effects they might introduce to the CIDS. Finally, we provide a thorough discussion of research gaps and possible future directions for the field.
AB - Collaborative defensive approaches such as collaborative intrusion detection system (CIDS) have emerged as a response to the continuous increase in the sophistication of cyberattacks. Such systems utilize a plethora of heterogeneous monitors to create a holistic picture of the monitored network. A number of research institutes deploy CIDSs that publish their alert data publicly over the Internet. This is important for researchers and security administrators, as such systems provide a source of real‐world alert data for experimentation. However, a class of identification attacks exists, namely probe‐response attacks (PRAs), which can significantly reduce the benefits of a CIDS. In particular, such attacks allow an adversary to detect the network location of the monitors of a CIDS. This article discusses the state of the art, with an emphasis on our previous and ongoing work, with regard to the detection and the mitigation of PRAs. We compare the most promising defensive mechanisms with respect to their effectiveness and the possible negative effects they might introduce to the CIDS. Finally, we provide a thorough discussion of research gaps and possible future directions for the field.
UR - http://www.scopus.com/inward/record.url?eid=2-s2.0-85058845618&partnerID=MN8TOARS
UR - http://www.scopus.com/inward/record.url?scp=85058845618&partnerID=8YFLogxK
U2 - 10.1002/nem.2059
DO - 10.1002/nem.2059
M3 - Journal article
SN - 1099-1190
VL - 29
JO - International Journal of Network Management (Online)
JF - International Journal of Network Management (Online)
IS - 2
M1 - e2059
ER -