Selective and Early Threat Detection in Large Networked Systems

The complexity of modern networked information systems, as well as all the defense-in-depth best practices, require distributed intrusion detection architectures relying on the cooperation of multiple components. Similar solutions cause a multiplication of alerts, thus increasing the time needed for alert management and hiding the few critical alerts as needles in a hay stack. We propose an innovative distributed architecture for intrusion detection that is able to provide system administrators with selective and early security warnings. This architecture is suitable to large networks composed by several departments because it leverages hierarchical and peer-to-peer cooperation schemes among distributed NIDSes. Moreover, it embeds a distributed alert ranking system that makes it possible to evaluate the real level of risk represented by a security alert generated by a NIDS, and it allows independent network departments to exchange early warnings about critical threats. Thanks to these features, a system administrator can focus on the few alerts that represent a real threat for the controlled infrastructure and can be notified about the most dangerous intrusions before his department is attacked.