ABSTRACT
CONTENTS 7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 7.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 7.3 Resource Management and Incentive Design . . . . . . . . . . . . . . . . . . . . . . . . 100
7.3.1 Modeling of Resource Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . 100 7.3.2 Characterization of Nash Equilibrium . . . . . . . . . . . . . . . . . . . . . . 103 7.3.3 Incentive Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
7.4 Primal / Dual Iterative Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 7.5 Experiments and Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
7.5.1 Nash Equilibrium Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 7.5.2 Nash Equilibrium Using Distributed Computation . . . . . . . . . . 111 7.5.3 Robustness Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
7.5.3.1 Free-Riding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 7.5.3.2 Denial-of-Service (DoS) Attacks . . . . . . . . . . . . . 115 7.5.3.3 Dishonest Insiders . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
7.5.4 Large-Scale Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 7.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
7.1 Introduction As discussed in the previous chapters, collaborative intrusion detection networks can improve the intrusion detection accuracy of participating IDSs. However, malicious insiders in an IDN may compromise the system by providing false information/feedback or overloading the system with spam. Also, “free-riders” [88] can exploit the system by benefiting from others without contributing themselves. This can
degrade the overall performance of malicious insiders and trust management is necessary to distinguish dishonest or malicious insiders, and an incentive-compatible resource allocation mechanism can help participating IDSs contribute helping resources to collaborators in a fair manner (i.e., more active contributors should receive more helping resources). The resource allocation mechanism itself should be robust against various insider attacks.
