ABSTRACT
CONTENTS 6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 6.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 6.3 Collaborative Decision Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
6.3.1 Modeling of Acquaintances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 6.3.2 Collaborative Decision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.4 Sequential Hypothesis Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 6.4.1 Threshold Approximation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
6.5 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 6.5.1 Simulation Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
6.5.1.1 Simple Average Model . . . . . . . . . . . . . . . . . . . . . . . 85 6.5.1.2 Weighted Average Model . . . . . . . . . . . . . . . . . . . . 86 6.5.1.3 Bayesian Decision Model . . . . . . . . . . . . . . . . . . . . 86
6.5.2 Modeling of a Single IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 6.5.3 Detection Accuracy and Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
6.5.3.1 Cost under Homogeneous Environment . . . . . . . 88 6.5.3.2 Cost under Heterogeneous Environment . . . . . . 89 6.5.3.3 Cost and the Number of Acquaintances . . . . . . . 90
6.5.4 Sequential Consultation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 6.5.5 Robustness and Scalability of the System . . . . . . . . . . . . . . . . . . . 95
6.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
In the previous chapter we discussed the design of a robust, scalable, and efficient trust management for an IDN. An important function of trust evaluation is to find the expertise level of participant IDSs in order to improve the accuracy of collaborative intrusion detection. In this chapter we focus on the design of efficient and trustworthy collaborative intrusion decision, also referred to as feedback aggregation. Efficient and trustworthy feedback aggregation is a critical component in the design of IDNs because it has direct impact on the intrusion detection accuracy. In the IDN, each IDS evaluates its peer collaborators based on their false positive and false negative rates, which can be estimated from historical data and test messages. Accordingly assessments received from an incompetent or malicious insider will have less weight in the final decisions. This decision model is based on data analysis and hypothesis testing methods. Specifically, we design optimal decision rules that minimize Bayesian risks of IDSs in the network. In addition, for real-time applications, an IDS only needs to consult a subset of its acquaintances until desired levels of performance, such as probabilities of detection and false alarm, are achieved. In other words, this decision model provides a data-driven efficiently distributed sequential algorithm for IDSs to make decisions based on feedback from a subset of their collaborators. The goal is to reduce communication overhead and the computational resources needed to achieve a satisfactory feedback aggregation result when the number of acquaintances of an IDS is large.
