Global Intrusion Detection in the DOMINO Overlay System
Sharing data between widely distributed intrusion detection systems
offers the possibility of significant improvements in speed and
accuracy over isolated systems. In this paper, we describe and
evaluate DOMINO (Distributed Overlay
for Monitoring Internet Outbreaks); an architecture for a distributed intrusion detection
system that fosters collaboration among heterogeneous nodes organized
as an overlay network. The overlay design enables DOMINO to be
heterogeneous, scalable, and robust to attacks and failures. An
important component of DOMINO's design is the use of active-sink nodes
which respond to and measure connections to unused IP addresses. This
enables efficient detection of attacks from spoofed IP sources,
reduces false positives, enables attack classification and production
of timely blacklists.
We evaluate the capabilities and performance of DOMINO using a large
set of intrusion logs collected from over 1600 providers across the
Internet. Our analysis demonstrates the significant marginal benefit
obtained from distributed intrusion data sources coordinated through a
system like DOMINO. We also evaluate how to configure DOMINO in order
to maximize performance gains from the perspectives of blacklist
length, blacklist freshness and IP proximity. We perform a
retrospective analysis on the 2002 SQL-Snake and 2003 SQL-Slammer
epidemics that highlights how information exchange through DOMINO
would have reduced the reaction time and false-alarm rates during
outbreaks. Finally, we provide preliminary results from our prototype
active-sink deployment that illustrates the limited variability in the
sink traffic and the feasibility of efficient classification and
discrimination of attack types
Download:[PS,PDF]
Somesh Jha
Last modified: Mon Jan 12 17:56:10 CST 2004