IDS

In our work, we assume that the monitored network is covered by multiple heterogeneous IDS systems (nodes). These heterogeneous IDS nodes detect attacks and intrusions by using various detection mechanisms and types of input data-netflows, signatures, logs, etc. We introduce a game-theoretical framework for a distributed co-adaptation that requires the following assumptions:
– Local self-monitoring - all IDS nodes should be able of a local reconfiguration to adapt on the current state of the network according to the proposed game model.
– Interoperability - outputs of all nodes should be in the standardized format (e.g. Intrusion Detection Message Exchange Format - IDMEF [4]), allowing their interaction even if their detection mechanisms are different. We will refer to these outputs as events.
– Communication - maintaining robust and reliable communication among multiple IDS nodes is essential assumption in the distributed collaboration. We will discuss this aspect further in this section more in detail.
– Security - for security reasons, nodes do not provide information about their internal state. Furthermore, secure communication channel should be provided to reduce the possibility of attacker’s manipulation with the system.
– Traffic assumptions - strategic deployment of IDS nodes in the network is important to provide relevant information to the game model.


International Conference on Autonomous Infrastructure, Management and Security, & Sadre, R. (2012). Dependable networks and services: 6th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2012, Luxembourg, Luxembourg, June 4-8, 2012: proceedings. Heidelberg: Springer.