Usage of Broadcast Messaging in a Distributed Hash Table for Intrusion Detection

Usage of Broadcast Messaging in a Distributed Hash Table for Intrusion Detection

Zoltán Czirkos (Budapest University of Technology and Economics, Hungary) and Gábor Hosszú (Budapest University of Technology and Economics, Hungary)
DOI: 10.4018/978-1-60960-836-1.ch003

Abstract

In this chapter, the authors present a novel peer-to-peer based intrusion detection system called Komondor, more specifically, its internals regarding the utilized peer-to-peer transport layer. The novelty of our intrusion detection system is that it is composed of independent software instances running on different hosts and is organized into a peer-to-peer network. The maintenance of this overlay network does not require any user interaction. The applied P2P overlay network model enables the nodes to communicate evenly over an unstable network. The base of our Komondor NIDS is a P2P network similar to Kademlia. To achieve high reliability and availability, we had to modify the Kademlia overlay network in such a way so that it would be resistent to network failures and support broadcast messages. The main purpose of this chapter is to present our modifications and enhancements on Kademlia.
Chapter Preview
Top

Background

Intrusion Detection Systems

Network Intrusion Detection Systems (NIDS) are capable of supervision and protection of company-scale networks. One commercially available product is RealSecure (RealSecure, 2006), while Snort is an open source solution (Snort, 2002). Snort is based on a description language, which supports investigation of signatures, network application level protocols, anomalies, and even the combination of these. It realizes a probe which is able to check network traffic. It is a well configurable system, automatically refreshing its rule set regularly through the Internet. In this way, new signatures and rules added by developers and users can be immediately added to the database of the software.

Information collected by probes installed at different points of the network is particularly important for protection against network scale attacks. Data collected by one probe alone may not be enough to consider an attack manifested, but an extensive analysis of all sensors’ information can reveal the fact that the system is under attack. By the aid of sensors communicating in the network, the Intrusion Detection Working Group (IDWG) of the Internet Engineering Task Force (IETF) has developed the Intrusion Detection Message Exchange Format (IDMEF) (IETF, 2006).

Complete Chapter List

Search this Book:
Reset