Abstract
Distributed intrusion detection systems (IDS) are primarily deployed across the network to monitor, detect, and report anomalies, as well as to respond in real-time. Predominantly, an IDS is equipped with a set of rules that it needs to infer to be able to perform efficient detection. However, reducing the generation of false alarms is a major challenge in any IDS implementation. Additionally, the sheer number of IoT devices that generate alarms in a moderately large sensor network may be overwhelming. In order to reduce alarms, this paper contributes to the field by proposing an original framework that limits the number of generated messages without compromising detection accuracy. The primary idea is to exploit mid-level nodes called collectors where similar alerts are collected and analyzed independently. Priority is assigned to each alert and similar alerts are fused to respective collectors for more informed decision making. In addition, Kademlia based Distributed Hash Table (DHT) is used for efficient alert transportation and distributed fusion of similar alerts. In order to minimize false alarm rate, event correlation is used to find similarity between events fused by different detection sensors. The framework is implemented in a fog-based environment to assess and evaluate the efficiency of the proposed system in edge network. The architecture is evaluated with the recognized DARPA 1999 dataset; the reported results show that the proposed technique reduces message generation by 62% while achieving false positive accuracy over 80%.
Highlights
Network traffic anomalies are very common these days and identifying them quickly but more efficiently is essential especially for large networks and service providers
They are made uniform by using Intrusion Detection Message Exchange Format (IDMEF) library [38] before fusing them to their respective collectors
They are selected on the basis of their security and available bandwidth, there can be multiple parameters for selecting and re-selecting collectors dynamically to adapt to changing conditions
Summary
Network traffic anomalies are very common these days and identifying them quickly but more efficiently is essential especially for large networks and service providers. Reviewing the recent advancements in the field paves the way for us to recognize that the sheer amount of related events produced by sensors requires the following features for an innovative IDS infrastructure: 1) Efficient routing of similar alarms to respective intermediate collectors without the consultation of some centralized directory or without flooding the entire network; 2) Support to some kind of querying language that can collect and aggregate information from distributed nodes and multiple levels of collectors; 3) Support to effective load balancing; 4) Fault tolerance, e.g., efficient management of node join/leave in a distributed environment; and 5) Generation and consideration of only enough relevant information, so that collectors are not overwhelmed or slowed down by data with scarce meaning or impact.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
