When Gossip is Good: Distributed Inference for Network Intrusion Detection
When firewalls fail to protect the network, end hosts must be viewed as a last line of defense. We examine the strategy to place intrusion detection capabilities at end hosts in an enterprise network. Our approach extends the idea of using collaborative IDS to corroborate the likelihood of attack. Specifically, we imbue hosts with the ability to perform probabilistic inference in a fully distributed fashion, using random messaging to gossip state among peer detectors. As a result, they are able to correlate weak beliefs generated at end hosts into stronger evidence of network-wide attacks. We examine the tradeoffs between centralized and distributed architectures and attempt to balance message diffusion, inference accuracy, and bandwidth requirements. Simulations show that our system outperforms state-of-the-art intrusion detectors that act alone, as well as detectors that merely use counting as the basis to corroborate belief. We show not only faster time to detection at lower false positive rates, but also that these results can be further improved with a scheme of biased messaging that facilitates quicker belief propagation using less bandwidth. Most importantly, our system exhibits the ability to detect worms that are an order of magnitude slower than otherwise possible.
Eve Schooler joined Intel in 2005. She is a Senior Research Scientist and the Principal Investigator leading the Distributed Detection and Inference (DDI) project, a strategic research project (SRP) that focuses on distributed network anomaly detection in large-scale Enterprise networks. Her broad interests lie at the intersection of distributed systems, networking, and scalable group algorithm design. In addition, she enjoys finding excuses to combine technology with the Arts, particularly with Music. Eve obtained her BS from Yale University, an MS from UCLA, and a PhD from Caltech, all in Computer Science. Prior to Intel, she worked at AT&T Labs-Research, Information Sciences Institute (ISI), and Apollo Computers.