A Hierarchical Architecture and Probabilistic Strategy for Collaborative Intrusion Detection

Large-scale network attacks like (distributed) denial of service or probing/port scanning are performed in a (highly) distributed and coordinated manner to increase their volume and velocity. Since systems from multiple infrastructures are involved while either being used as attack source or targeted as destination, local scopes w.r.t. observed network data can be combined to extract or derive comprehensive knowledge for attack detection at a global level. To support this, a three-tier hierarchical architecture for collaborative intrusion detection and a probabilistic classification strategy for flow data that leverages the architecture for local and especially global collaboration are proposed in this paper. While the benefits of the approach depend on the considered attack type and may vary for participating networks, experiments reveal that the CIDS hierarchy is advantageous compared to other intrusion detection deployments w.r.t. achieved accuracy scores and shared data volume.