False alarms and timely identification of new attacks are two of the biggest challenges to the effective use of network intrusion detection systems (NIDS). A potential means for addressing these shortcomings in modern NIDS is employing multiple, distributed network intrusion detection systems (DNIDS). In this paper we consider the potential benefits of DNIDS by addressing two open problems. The first problem is how to combine data from multiple intrusion sensors in a network. This is known as the fusion problem. The second problem is how to identify the most important data provided by multiple sensors in a network. This is known as the filtering problem. We develop a series of analytic and simulation models to assess the potential benefits of DNIDS for reducing false alarms and improving timeliness of detection for different fusion and filtering strategies. Our analysis explores the trade-offs when fusion and filtering are used together and shows that significant improvements are possible.
展开▼