ABSTRACT
CONTENTS 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 4.2 Collaboration Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.2.1 Network Join Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 4.2.2 Consultation Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.2.3 Test Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 4.2.4 Communication Overlay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.2.5 Mediator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.2.6 Trust Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.2.7 Acquaintance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 4.2.8 Resource Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 4.2.9 Feedback Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4.3.1 Privacy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4.3.2 Insider Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
A intrusion detection network (IDN) is an overlay network that enables IDSs to exchange intrusion information and knowledge in order to improve the overall detection accuracy. IDSs in an IDN network can have a more global view of cyber intrusions by receiving alerts from other IDSs in the networks. IDSs can also send consultation requests to their collaborators when suspicious activities are detected but the local IDS does not have enough confidence to make a decision. For example, an IDS may receive a new file that can be flagged by the anomaly detection process. However, anomaly detection commonly results in a high false positive rate. The IDS can send the suspicious file to other IDSs for consultation. The collected feedback from other IDSs can be used to make a more confident intrusion decision.
