Using homomorphic encryption for privacy-preserving clustering of intrusion detection alerts


Cyber-security attacks are becoming more frequent and more severe day by day. To detect the execution of such attacks, organizations install intrusion detection systems. It would be beneficial for such organizations to collaborate, to better assess the severity and the importance of each detected attack. On the other hand, it is very difficult for them to exchange data, such as network traffic or intrusion detection alerts, due to privacy reasons. A privacy-preserving collaboration system for attack detection is proposed in this paper. Specifically, homomorphic encryption is used to perform alerts clustering at an inter-organizational level, with the use of an honest but curious trusted third party. Results have shown that privacy-preserving clustering of intrusion detection alerts is feasible, with a tolerable performance overhead.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4


  1. 1.

    Andreolini, M., Colajanni, M., Marchetti, M.: A collaborative framework for intrusion detection in mobile networks. Inf. Sci. 321(C), 179–192 (2015).

    Article  Google Scholar 

  2. 2.

    Axelsson, S.: The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur. (TISSEC) 3(3), 186–205 (2000)

    Article  Google Scholar 

  3. 3.

    Barry, B.I.A., Chan, H.A.: Intrusion Detection Systems, pp. 193–205. Springer, Berlin (2010)

    Google Scholar 

  4. 4.

    Benali, F., Bennani, N., Gianini, G., Cimato, S.: A distributed and privacy-preserving method for network intrusion detection. In: OTM Confederated International Conferences On the Move to Meaningful Internet Systems, pp. 861–875. Springer (2010)

  5. 5.

    Boneh, D., Goh, E.J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Theory of Cryptography Conference, pp. 325–341. Springer (2005)

  6. 6.

    Dara, S., Muralidhara, V.: Privacy preserving architectures for collaborative intrusion detection. arXiv preprint arXiv:1602.02452 (2016)

  7. 7.

    Davis, C.: The norm of the schur product operation. Numer. Math. 4(1), 343–344 (1962).

    MathSciNet  Article  MATH  Google Scholar 

  8. 8.

    Dermott, A., Shi, Q., Kifayat, K.: Collaborative intrusion detection in federated cloud environments. J. Comput. Sci. Appl. 3(3A), 10–20 (2015).

    Article  Google Scholar 

  9. 9.

    Do, H.G., Ng, W.K.: Privacy-preserving approach for sharing and processing intrusion alert data. In: 2015 IEEE Tenth International Conference on Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP), pp. 1–6. IEEE (2015)

  10. 10.

    Fayi, S.Y.A.: What petya/notpetya ransomware is and what its remidiations are. In: Information Technology-New Generations, pp. 93–100. Springer (2018)

  11. 11.

    Francois, J., Aib, I., Boutaba, R.: Firecol: a collaborative protection network for the detection of flooding ddos attacks. IEEE/ACM Trans. Netw. 20(6), 1828–1841 (2012)

    Article  Google Scholar 

  12. 12.

    Gogoi, P., Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Packet and flow based network intrusion dataset. In: Parashar, M., Kaushik, D., Rana, O.F., Samtaney, R., Yang, Y., Zomaya, A. (eds.) Contemporary Computing, pp. 322–334. Springer, Berlin (2012)

    Google Scholar 

  13. 13.

    Ho, C.Y., Lai, Y.C., Chen, I.W., Wang, F.Y., Tai, W.H.: Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems. IEEE Commun. Mag. 50(3), 146–154 (2012)

    Article  Google Scholar 

  14. 14.

    Hong, J., Liu, C.C.: Intelligent electronic devices with collaborative intrusion detection systems. IEEE Trans. Smart Grid PP(99), 1-1 (2017).

    Article  Google Scholar 

  15. 15.

    Horn, R.A.: The hadamard product. Proc. Symp. Appl. Math. 40, 87–169 (1990)

    MathSciNet  Article  Google Scholar 

  16. 16.

    Jin, R., He, X., Dai, H.: On the tradeoff between privacy and utility in collaborative intrusion detection systems-a game theoretical approach. In: Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp, HoTSoS, pp. 45–51. ACM, New York, NY, USA (2017).

  17. 17.

    Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: Ddos in the iot: Mirai and other botnets. Computer 50(7), 80–84 (2017)

    Article  Google Scholar 

  18. 18.

    Lazarevic, A., Kumar, V., Srivastava, J.: Intrusion Detection: A Survey, pp. 19–78. Springer, Boston (2005)

    Google Scholar 

  19. 19.

    Li, W., Meng, W., Kwok, L.F., Horace, H.: S: Enhancing collaborative intrusion detection networks against insider attacks using supervised intrusion sensitivity-based trust management model. J. Netw. Comput. Appl. 77, 135–145 (2017).

    Article  Google Scholar 

  20. 20.

    Liang, H., Ge, Y., Wang, W., Chen, L.: Collaborative intrusion detection as a service in cloud computing environment. In: 2015 IEEE International Conference on Progress in Informatics and Computing (PIC), pp. 476–480 (2015).

  21. 21.

    McHugh, J., Christie, A., Allen, J.: Defending yourself: the role of intrusion detection systems. IEEE Softw. 17(5), 42–51 (2000)

    Article  Google Scholar 

  22. 22.

    Milenkoski, A., Vieira, M., Kounev, S., Avritzer, A., Payne, B.D.: Evaluating computer intrusion detection systems: a survey of common practices. ACM Comput. Surv. (CSUR) 48(1), 12 (2015)

    Article  Google Scholar 

  23. 23.

    Morais, A., Cavalli, A.: A distributed and collaborative intrusion detection architecture for wireless mesh networks. Mobile Netw. Appl. 19(1), 101–120 (2014).

    Article  Google Scholar 

  24. 24.

    Nicolas, J.L., Robin, G.: Highly composite numbers by srinivasa ramanujan. Ramanujan J. 1(2), 119–153 (1997).

    MathSciNet  Article  Google Scholar 

  25. 25.

    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 223–238. Springer (1999)

  26. 26.

    Pietraszek, T., Tanner, A.: Data mining and machine learning-towards reducing false positives in intrusion detection. Inf. Secur. Tech. Rep. 10(3), 169–183 (2005)

    Article  Google Scholar 

  27. 27.

    Ring, M., Wunderlich, S., Scheuring, D., Landes, D., Hotho, A.: A survey of network-based intrusion detection data sets. Comput. Secur. 86, 147–167 (2019)

    Article  Google Scholar 

  28. 28.

    Roesch, M.: Snort—lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration, LISA’99, pp. 229–238. USENIX Association, Berkeley, CA, USA (1999).

  29. 29.

    Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012).

    Article  Google Scholar 

  30. 30.

    Singh, S.S., Chauhan, N.: K-means v/s k-medoids: a comparative study. In: National Conference on Recent Trends in Engineering & Technology, vol. 13 (2011)

  31. 31.

    Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 305–316. IEEE (2010)

  32. 32.

    Spathoulas, G.P., Katsikas, S.K.: Reducing false positives in intrusion detection systems. Comput. Secur. 29(1), 35–44 (2010)

    Article  Google Scholar 

  33. 33.

    Tan, Z., Nagar, U.T., He, X., Nanda, P., Liu, R.P., Wang, S., Hu, J.: Enhancing big data security with collaborative intrusion detection. IEEE Cloud Comput. 1(3), 27–33 (2014).

    Article  Google Scholar 

  34. 34.

    Vasilomanolakis, E., Karuppayah, S., Mühlhäuser, M., Fischer, M.: Taxonomy and survey of collaborative intrusion detection. ACM Comput. Surv. (CSUR) 47(4), 55 (2015)

    Article  Google Scholar 

  35. 35.

    Vasilomanolakis, E., Krügl, M., Cordero, C.G., Mühlhäuser, M., Fischer, M.: Skipmon: A locality-aware collaborative intrusion detection system. In: 2015 IEEE 34th International Performance Computing and Communications Conference (IPCCC), pp. 1–8 (2015).

  36. 36.

    Wang, Y., Meng, W., Li, W., Li, J., Liu, W.X., Xiang, Y.: A fog-based privacy-preserving approach for distributed signature-based intrusion detection. J. Parallel Distrib. Comput. 122, 26–35 (2018)

    Article  Google Scholar 

  37. 37.

    Wang, Y., Xie, L., Li, W., Meng, W., Li, J.: A privacy-preserving framework for collaborative intrusion detection networks through fog computing. In: Wen, S., Wu, W., Castiglione, A. (eds.) Cyberspace Safety and Security, pp. 267–279. Springer International Publishing, Cham (2017)

    Google Scholar 

  38. 38.

    Zhang, P., Huang, X., Sun, X., Wang, H., Ma, Y.: Privacy-preserving anomaly detection across multi-domain networks. In: 2012 9th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD), pp. 1066–1070. IEEE (2012)

  39. 39.

    Zhou, C.V., Karunasekera, S., Leckie, C.: Evaluation of a decentralized architecture for large scale collaborative intrusion detection. In: 2007 10th IFIP/IEEE International Symposium on Integrated Network Management, pp. 80–89 (2007)

  40. 40.

    Zhou, C.V., Leckie, C., Karunasekera, S.: Decentralized multi-dimensional alert correlation for collaborative intrusion detection. J. Netw. Comput. Appl. 32(5), 1106–1123 (2009). Next Generation Content Networks

    Article  Google Scholar 

  41. 41.

    Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29(1), 124–140 (2010)

    Article  Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Georgios Spathoulas.

Ethics declarations

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Spathoulas, G., Theodoridis, G. & Damiris, G. Using homomorphic encryption for privacy-preserving clustering of intrusion detection alerts. Int. J. Inf. Secur. (2020).

Download citation


  • Intrusion detection
  • Clustering
  • Homomorphic encryption
  • Privacy