Security Analyses

The two-phase collaborative mechanism provides an effective collaboration between the IDSs. However the trust management and the collaborative properties inside may become the target of attacks and be compromised. Thus, in the following, there are the possible attacks and how the proposed mechanism defends against them.

First one are Sybil attack occurring when an IDS creates a large amount of fake identities. These are used to provide false alert ranking to cause unfavorable influence.

The design of authentication mechanism is applied to defend such attack. An IDS registers to CA is difficult since one virtual host only has one HIDS and the number of

p=0.2 p=0.5

p=0.8 70.000%

80.000%

90.000%

100.000%

OSSEC

snort

bro

detection accuracy

50

NIDS is controlled by administrators instead of increasing automatically. On the other hand, all the fake identities need to build up their trust before they affect the decisions of others because of the trust management in each IDS.

Second one is identity cloning attack occurring when an IDS steals the identity of another one and tries to communicate with others. This is defended by the asymmetric encryption between each IDS which has a pair of public key and private key. The CA certifies the ownership of each key and the authenticity of identities are protected in such way.

Third one is new comer attack occurring when a malicious IDS can registers to CA as a new comer easily in order to erase its bad history of others. Registering to CA is difficult as mentioned above and a default trust value of a new comer is low. Such authenticity and trust management can defend this attack.

Forth one is betrayal attack occurring when a trustworthy IDS suddenly turns into a malicious one and starts providing false feedback even malware. This is defended by the trust management model adopting , and . The trust value for a node decreases dramatically and immediately when it changes its behavior from honest to dishonest.

Fifth one is collusion attack occurring when a group of malicious IDSs cooperating in sending false feedback to others. In the proposed mechanism, it has a chance being affected by such attack. The reason for this is that there is no similar test message in testing the trust value or ability value feedback from others. A group of malicious nodes can compromise the trust values for the members by providing false trust values when other nodes consult about them.

4.3 Discussion

This section summarizes the performance of the proposed mechanism in

51

different cases mention above. In the honest environment, the proposed mechanism eliminates the difference of trust worthiness between different types of simulators.

The trust values are gathering at about 0.8 instead of clustering into two values (0.9 and 0.8) in Fung et al. Moreover, the average detection accuracy with different after learning phase in multi cases are listed in Table 11.

It is 94%, 97% and 98% in three different types (OSSEC, snort, bro) of simulators with is 6. And without learning phase, it is 94%, 95% and 91% with is 6, 92%, 97% and 94% with is 3 as well as 98%, 98% and 97% with is 1. In the same conditions (after learning), the detection accuracy in Fung et al. and non-cooperation with is set to be 1 (represents that it has higher chance to detect attacks) is 96%, 91% and 84% as well as 94%, 89%, and 82%. The analysis shows that Fung et al. is only 2% better than non-cooperation, but the improvement rate in this mechanism is 4%, 9% and 15% in each type of simulator. It can increase the detection accuracy of the most powerless simulator to 98%.

Table 11. Detection accuracy in the honest environment

=6

In the dishonest environment, the proposed mechanism provides more impartial and stricter penalties about a node changing its behavior from honest to dishonest than Fung et al. The average trust values in the second times for the nodes replying fake responses in this mechanism and Fung et al. are 0.6609 and 0.6798. And if the nodes

52

keep lying, the trust value is closing to 0 in this mechanism instead of being 0.2 or 0.3 in Fung et al. Moreover, the average detection accuracy with different and is 6, without learning in three different types (OSSEC, snort, bro) of simulators is listed in . is used to instead the amount of dishonest nodes in the table.

It is 94%, 88% and 82% with the amount of dishonest nodes is 3, 91%, 89%

and 83% with 15 dishonest nodes as well as 94%, 90% and 82% with 27 dishonest nodes. While is 3, the different detection accuracy is as follows. It is 95%, 92%

and 87% with 3 dishonest nodes, 95%, 93% and 89% with 15 dishonest nodes as well as 95%, 91% and 87% with 27 dishonest nodes. Although with the dishonest nodes the detection accuracy is decreased, it still performs as well as Fung et al. and non-cooperation in the honest environment. And there is no obvious decreasing in detection accuracy with the increasing in amount of dishonest nodes. But this is based on the rest of honest nodes are all different types. If the rest of honest nodes are in the same type, it is helpless to increase the performance.

Table 12. Detection accuracy in the dishonest environment =6

According to security analysis, the proposed mechanism can defend several common threats such as Sybil attack, identity cloning attack, new comer attack and betrayal attack. But it cannot defend collusion attacks, since there is no appropriate way to constrain IDSs providing honest feedback about the trust value or ability value for others.

53