An Exact Consensus-Based Network Intrusion Detection System

In a recent work Toulouse et al. [1] introduced a fully distributed network intrusion detection system (NIDS) based on an average consensus algorithm. In this initial work, modules of the NIDS repeatedly average their state with the state of their neighbors to converge asymptotically to a same value, which in turn is used as measurement of some relevant state of the network wide monitored traffic. In the present work, local averaging is used to implement a finite convergence procedure for the consensus-based NIDS in [1]. We call this implementation exact consensus as local averaging computes exactly in a finite number of steps a function of the initial NIDS states. Furthermore, unlike asymptotic consensus which computed only the average sum function, this new distributed protocol can compute almost any function of the initial NIDS states. Tests are performed that compare the asymptotic consensus with this new exact consensus protocol. In particular, we compare the convergence speed of the two methods given a same pre-defined level of accuracy in the decisions computed by the intrusion detection system.