A Distributed and Privacy-Preserving Method for Network Intrusion Detection

  • Fatiha Benali
  • Nadia Bennani
  • Gabriele Gianini
  • Stelvio Cimato
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6427)


Organizations security becomes increasingly more difficult to obtain due to the fact that information technology and networking resources are dispersed across organizations. Network intrusion attacks are more and more difficult to detect even if the most sophisticated security tools are used. To address this problem, researchers and vendors have proposed alert correlation, an analysis process that takes the events produced by the monitoring components and produces compact reports on the security status of the organization under monitoring. Centralized solutions imply to gather from distributed resources by a third party the global state of the network in order to evaluate risks of attacks but neglect the honest but curious behaviors. In this paper, we focus on this issue and propose a set of solutions able to give a coarse or a fine grain global state depending on the system needs and on the privacy level requested by the involved organizations.


Bayesian Network Information System Intrusion Detection Intrusion Detection System Trusted Third Party 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Benaloh, J., de Mare, M.: One-way accumulators: A decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  2. 2.
    Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 61. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Clifton, C., Kantarcioglu, M., Vaidya, J., Lin, X., Zhu, M.Y.: Tools for privacy preserving distributed data mining. SIGKDD Explor. Newsl. 4(2), 28–34 (2002)CrossRefGoogle Scholar
  4. 4.
    Chen, R., Sivakumar, K., Kargupta, H.: Learning Bayesian Network Structure from Distributed Data. In: Proc. SIAM Int’l Data Mining Conf., pp. 284–288 (2003)Google Scholar
  5. 5.
    Goldreich, O., Micali, S., Wigderson, A.: How to Play ANY Mental Game. In: Proc. 19th Ann. ACM Conf. Theory of Computing, pp. 218–229 (1987)Google Scholar
  6. 6.
    Goldreich, O.: Foundations of Cryptography, vol. II: Basic Applications. Cambridge Univ. Press, Cambridge (2004)CrossRefzbMATHGoogle Scholar
  7. 7.
    Goodrich, M.T., Tamassia, R., Hasic, J.: An efficient dynamic and distributed cryptographic accumulator. In: Chan, A.H., Gligor, V.D. (eds.) ISC 2002. LNCS, vol. 2433, pp. 372–388. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Meng, D., Sivakumar, K., Kargupta, H.: Privacy-Sensitive Bayesian Network Parameter Learning. In: Proc. Fourth IEEE Int’l Conf. Data Mining, pp. 487–490 (2004)Google Scholar
  9. 9.
    Yamanishi, K.: Distributed cooperative Bayesian Learning strategies. Information and Computation 150(1), 22–56 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Wright, R.N., Yang, Z.: Privacy-Preserving Bayesian Network Structure Computation on Distributed Heterogeneous Data. In: Proc. 10th ACM SIGKDD Int’l Conf. Knowledge Discovery and Data Mining, pp. 713–718 (2004)Google Scholar
  11. 11.
    Yang, Z., Wright, R.N.: Privacy-Preserving Computation of Bayesian Networks on Vertically Partitioned Data. IEEE Transactions on Knowledge and Data Engineering, 1253–1264 (September 2006)Google Scholar
  12. 12.
    Yao, A.: How to Generate and Exchange Secrets. In: Proc. 27th IEEE Symp. Foundations of Computer Science, pp. 162–167 (1986)Google Scholar
  13. 13.
    Benali, F., Legrand, V., Ubéda, S.: An ontology for the management of heteregenous alerts of information system. In: The 2007 International Conference on Security and Management (SAM 2007), Las Vegas, USA, pp. 374–380 (June 2007)Google Scholar
  14. 14.
    Cheswick, W.R., Bellovin, S.M.: Firewalls and Internet Security Repelling the Wily Hacker. Addison-Wesley, Reading (1994)zbMATHGoogle Scholar
  15. 15.
    Cohen, F.B.: Information system attacks: A preliminary classification scheme. Computers and Security 16(1), 29–46 (1997)CrossRefGoogle Scholar
  16. 16.
    Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: ACSAC 2001: Proceedings of the 17th Annual Computer Security Applications Conference, Washington, DC, USA, p. 22. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  17. 17.
    Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: SP 2002: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Washington, DC, USA, p. 202. IEEE Computer Society, Los Alamitos (2002)Google Scholar
  18. 18.
    Curry, D., Debar, H.: Intrusion detection message exchange formatGoogle Scholar
  19. 19.
    Dain, O., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pp. 1–13 (2001)Google Scholar
  20. 20.
    Dain, O.M., Cunningham, R.K.: Building scenarios from a heterogeneous alert stream. In: IEEE Workshop on Information Assurance and Security, pp. 231–235 (June 2001)Google Scholar
  21. 21.
    Davidson: Actions, reasons, and causes. Journal of Philosophy 685–700 (1963) (Reprinted in Davidson 1980, pp. 3–19)Google Scholar
  22. 22.
    Howard, J., Longstaff, T.: A common language for computer security incidents. Sand98-8667, Sandia International Laboratories (1998)Google Scholar
  23. 23.
    Howard, J.D.: An Analysis of Security Incidents on the Internet -normalement phd dissertation. PhD thesis, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213 USA (April 1997)Google Scholar
  24. 24.
    Johi, A., Pinkston, J., Undercoffer, J.: Modeling computer attacks: an ontology for intrusion detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 113–135. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Lindqvist, U., Jonsson, E.: How to systematically classify computer security intrusions. In: Proceeding of the IEEE Symposium on Security and Privacy, pp. 154–163 (1997)Google Scholar
  26. 26.
    Lindqvist, U., Porras, P.A.: Detecting computer and network misuse through the production-based expert system toolset(p-best). In: Proceeding of the 1999 Symposium of Security and Privacy, Oakland, CA, USA. IEEE Computer Society, Los Alamitos (May 1999)Google Scholar
  27. 27.
    Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of The 11th Annual Network And Distributed System Security Symposium (NDSS 2004), pp. 97–111 (2004)Google Scholar
  28. 28.
    Peng, N., Yun, C., Reeves Douglas, S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 245–254. ACM, New York (2002)Google Scholar
  29. 29.
    Saraydaryan, J., Benali, F., Ubéda, S., Legrand, V.: Comprehensive security framework for global threads analysis. International Journal of Computer Science Issues IJCSI 2, 18–32 (2009)Google Scholar
  30. 30.
    Saraydaryan, J., Legrand, V., Ubéda, S.: Behavioral anomaly detection using bayesian modelization based on a global vision of the system. In: NOTERE (2007)Google Scholar
  31. 31.
    Stallings, W.: Network and internetwork security: principles and practice. Prentice-Hall, Inc., Upper Saddle River (1995)Google Scholar
  32. 32.
    Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical automated detection of stealthy portscans. J. Comput. Secur. 10(1-2), 105–136 (2002)CrossRefGoogle Scholar
  33. 33.
    Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, RAID 2000, London, UK, pp. 54–68. Springer, Heidelberg (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Fatiha Benali
    • 1
  • Nadia Bennani
    • 2
  • Gabriele Gianini
    • 3
  • Stelvio Cimato
    • 3
  1. 1.CITI, INSA-LyonFrance
  2. 2.Université de Lyon, CNRS, INSA-Lyon, LIRIS, UMR5205France
  3. 3.Universitá degli Studi di MilanoMilanoItaly

Personalised recommendations