A consensus based network intrusion detection system

TL;DR

This paper introduces a fully distributed anomaly-based network intrusion detection system using naive Bayes classifiers and consensus protocols, enhancing scalability and fault tolerance over centralized systems.

Contribution

It presents a novel distributed detection approach that performs analysis at each node and shares probabilities via consensus, reducing single points of failure.

Findings

Comparable accuracy to hierarchical systems in DDoS detection

Reduced risk of system failure due to decentralization

Analysis of communication costs and convergence speed

Abstract

Network intrusion detection is the process of identifying malicious behaviors that target a network and its resources. Current systems implementing intrusion detection processes observe traffic at several data collecting points in the network but analysis is often centralized or partly centralized. These systems are not scalable and suffer from the single point of failure, i.e. attackers only need to target the central node to compromise the whole system. This paper proposes an anomaly-based fully distributed network intrusion detection system where analysis is run at each data collecting point using a naive Bayes classifier. Probability values computed by each classifier are shared among nodes using an iterative average consensus protocol. The final analysis is performed redundantly and in parallel at the level of each data collecting point, thus avoiding the single point of failure issue. We run simulations focusing on DDoS attacks with several network configurations, comparing the accuracy of our fully distributed system with a hierarchical one. We also analyze communication costs and convergence speed during consensus phases.