ABSTRACT
CONTENTS 8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 8.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 8.3 IDS Identification and Feedback Aggregation . . . . . . . . . . . . . . . . . . . . . . . 122
8.3.1 Detection Accuracy for a Single IDS . . . . . . . . . . . . . . . . . . . . . . . 123 8.3.2 Feedback Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
8.4 Acquaintance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 8.4.1 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 8.4.2 Acquaintance Selection Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 128 8.4.3 Acquaintance Management Algorithm . . . . . . . . . . . . . . . . . . . . . 130
8.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 8.5.1 Simulation Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 8.5.2 Determining the Test Message Rate . . . . . . . . . . . . . . . . . . . . . . . . 132 8.5.3 Efficiency of Our Feedback Aggregation . . . . . . . . . . . . . . . . . . . 134 8.5.4 Cost and the Number of Collaborators . . . . . . . . . . . . . . . . . . . . . . 135 8.5.5 Efficiency of Acquaintance Selection Algorithms . . . . . . . . . . . 136 8.5.6 Evaluation of Acquaintance Management Algorithm . . . . . . . . 137
8.5.6.1 Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 8.5.6.2 Stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 8.5.6.3 Incentive Compatibility . . . . . . . . . . . . . . . . . . . . . . 141 8.5.6.4 Robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
8.6 Conclusion and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
As discussed in the precious chapters, malicious insiders in an IDN may send false information to mislead other IDSs into making incorrect intrusion decisions. This may render the collaboration system ineffective. Furthermore, IDSs in the collaboration network may have different intrusion detection expertise levels and capabilities. An effective trust management model should be capable of distinguishing honest participants from malicious ones, and low-expertise IDSs from high-expertise IDSs. Chapter 5 describes a Bayesian learning model for IDSs to evaluate the trustworthiness of their collaborators. However, a collaboration relationship is a mutual agreement between both participants, and it should only occur when both parties agree to collaborate with each other. As we discussed in Chapter 6, the expected cost of false decisions decreases when receiving feedback from more collaborators. However, it takes more computing resources to maintain a collaboration relationship; for example, sending test messages and responding to consultation requests from other collaborators requires CPU/memory and bandwidth to proceed. The extra cost of recruiting a new collaborator may exceed the benefit from that collaborator. How IDSs select collaborators to achieve optimal cost efficiency is an important problem to solve for an IDN. We define IDN acquaintance management as the process of identifying, selecting, and maintaining collaborators for each IDS. An effective acquaintance management model is crucial to the design of an IDN.
