Detection and mitigation of monitor identification attacks in collaborative intrusion detection systems

摘要

Collaborative defensive approaches such as collaborative intrusion detection system (CIDS) have emerged as a response to the continuous increase in the sophistication of cyberattacks. Such systems utilize a plethora of heterogeneous monitors to create a holistic picture of the monitored network. A number of research institutes deploy CIDSs that publish their alert data publicly over the Internet. This is important for researchers and security administrators, as such systems provide a source of real-world alert data for experimentation. However, a class of identification attacks exists, namely probe-response attacks (PRAs), which can significantly reduce the benefits of a CIDS. In particular, such attacks allow an adversary to detect the network location of the monitors of a CIDS. This article discusses the state of the art, with an emphasis on our previous and ongoing work, with regard to the detection and the mitigation of PRAs. We compare the most promising defensive mechanisms with respect to their effectiveness and the possible negative effects they might introduce to the CIDS. Finally, we provide a thorough discussion of research gaps and possible future directions for the field.