A Novelty-Driven Approach to Intrusion Alert Correlation Based on Distributed Hash Tables

Distributed intrusion detection and prevention plays an increasingly important role in securing computer networks. In a distributed intrusion detection system, alerts or high-level meta-alerts are exchanged, aggregated, and correlated in a cooperative fashion to overcome the limitations of conventional intrusion detection systems. Substantial progress has been made, but current systems still suffer from various drawbacks: Most of them only distribute the data collection and not the analysis itself or they rely on a hierarchical or even centralized organization and/or communication architecture. Furthermore, the alerts or meta-alerts are usually aggregated at a pre-defined location and there is no reduction of the vast amount of alerts prior to distribution. Consequently, scalability is limited and any central component in the architecture introduces a "single point of failure ". We propose a completely distributed intrusion detection system based on distributed hash tables to efficiently exchange and aggregate alerts and meta-alerts in a cooperative, self-organizing, and load-balanced way. Independent intrusion detection agents publish their alerts based on a new novelty measure for alerts which prohibits the distribution of already known and hence worthless knowledge. The benefits of our approach are evaluated for a well-known probing attack.