A framework for large-scale simulation of collaborative intrusion detection systems

Distributed intrusion detection and prevention play an increasingly important role in securing computer networks. In a distributed intrusion detection system, information about the current situation and knowledge about attacks are exchanged, aggregated, fused, and correlated in a cooperative manner to overcome the limitations of conventional centralized intrusion detection systems. However, this distributed approach introduces new challenges such as self-organization and efficient communication techniques. In this paper we propose a novel framework for developing, simulating, and deploying a distributed intrusion detection system that consists of several collaborating agents. The framework provides a programming interface and comprises all essential communication and synchronization methods that enables self-organized collaboration in a completely distributed manner. In two experiments we demonstrate the performance and capabilities of our implementation by simulating a large-scale worm outbreak and a one-to-many attack. Furthermore, we present two applications of our framework to show how collaboration of agents can be used to detect one-to-many attacks and how detection performance benefits from cooperation of agents.