CIMD-Collaborative Intrusion and Malware Detection


We present a cooperation scheme for distributed intrusion detection taking into account security-related properties of each individual participating node. This leads to a security overlay network named CIMD (Collaborative Intrusion and Malware Detection1) enabling participants to state objectives for cooperation and find groups for the exchange of security-related data, like monitoring or detection results, accordingly; to these groups we refer as detection groups. Our contribution is twofold: First we present and discuss a tree-oriented taxonomy for the representation of nodes within the cooperation model. Second, we introduce and evaluate an algorithm for the formation of the detection groups. These two concepts create the core of an overlay architecture dedicated to intrusion detection and response measures and show the impact of CIMD by providing two different scenarios where the collaboration is advantageous compared to the non-collaborative approach. We evaluate the benefit of CIMD in a novel packetlevel simulation environment called NeSSi2, the Network Security Simulator. Furthermore, we analyze the vulnerabilities of the system itself and possible attack scenarios against it.

  author = {Rainer Bye and Sahin Albayrak},
  title = {{CIMD}- {C}ollaborative {I}ntrusion and {M}alware {D}etection},
  institution = {Technische Universit{"a}t Berlin - DAI-Labor},
  year = {2008},
  number = {TUB-DAI 08/08-01},
  month = aug,
  note = {}
Rainer Bye, Sahin Albayrak
Technical Report