A consensus based network intrusion detection system
This addresses scalability and security issues in network intrusion detection for network administrators, but it is incremental as it builds on existing anomaly-based and consensus methods.
The paper tackles the problem of centralized network intrusion detection systems being non-scalable and vulnerable to single points of failure by proposing a fully distributed system using naive Bayes classifiers and iterative average consensus, achieving results that include comparisons in accuracy, communication costs, and convergence speed against hierarchical systems in DDoS attack simulations.
Network intrusion detection is the process of identifying malicious behaviors that target a network and its resources. Current systems implementing intrusion detection processes observe traffic at several data collecting points in the network but analysis is often centralized or partly centralized. These systems are not scalable and suffer from the single point of failure, i.e. attackers only need to target the central node to compromise the whole system. This paper proposes an anomaly-based fully distributed network intrusion detection system where analysis is run at each data collecting point using a naive Bayes classifier. Probability values computed by each classifier are shared among nodes using an iterative average consensus protocol. The final analysis is performed redundantly and in parallel at the level of each data collecting point, thus avoiding the single point of failure issue. We run simulations focusing on DDoS attacks with several network configurations, comparing the accuracy of our fully distributed system with a hierarchical one. We also analyze communication costs and convergence speed during consensus phases.