Collaborative Intrusion Prevention

Intrusion prevention systems (IPSs) have long been proposed as a defense against attacks that propagate too fast for any manual response to be useful. In an important class of IPSs, the host-based IPSs, honeypots are used to collect information about attacks. The collected information will then be analyzed to generate countermeasures against the observed attack. Unfortunately, these IPSs can be rendered useless by techniques that allow the honeypots in a network to be identified ([1, 9]). In particular, attacks can be designed to avoid targeting the identified honeypots. As a result, the IPSs will have no information about the attacks, and thus no countermeasure will ever be generated. The use of honeypots is also creating other practical issues which limit the usefulness/feasibility of many host-based IPSs. We propose to solve these problems by duplicating the detection and analysis capability on every protected system; i.e., turning every host into a honeypot. In this paper, we will first lay out the necessary features of any scheme for such large scale collaboration in intrusion prevention, then we will present a framework called collaborative intrusion prevention (ClP) for realizing our idea of turning every host into a honeypot.