PRISM: A Hierarchical Intrusion Detection Architecture for Large-Scale Cyber Networks

TL;DR

PRISM is a hierarchical intrusion detection system that efficiently detects multi-stage cyber-attacks in large networks using a novel sampling technique and a multi-layered architecture, significantly reducing processing overhead while maintaining prediction accuracy.

Contribution

It introduces a hierarchical architecture with a behavior model-based sampling and a prediction mechanism for real-time multi-stage attack detection in large-scale networks.

Findings

Up to 7.5x reduction in processing overhead

Effective prediction of attack stages in real-time

Modular distributed architecture enhances scalability

Abstract

The increase in scale of cyber networks and the rise in sophistication of cyber-attacks have introduced several challenges in intrusion detection. The primary challenge is the requirement to detect complex multi-stage attacks in realtime by processing the immense amount of traffic produced by present-day networks. In this paper we present PRISM, a hierarchical intrusion detection architecture that uses a novel attacker behavior model-based sampling technique to minimize the realtime traffic processing overhead. PRISM has a unique multi-layered architecture that monitors network traffic distributedly to provide efficiency in processing and modularity in design. PRISM employs a Hidden Markov Model-based prediction mechanism to identify multi-stage attacks and ascertain the attack progression for a proactive response. Furthermore, PRISM introduces a stream management procedure that rectifies the issue of alert reordering when collected from distributed alert reporting systems. To evaluate the performance of PRISM, multiple metrics have been proposed, and various experiments have been conducted on a multi-stage attack dataset. The results exhibit up to 7.5x improvement in processing overhead as compared to a standard centralized IDS without the loss of prediction accuracy while demonstrating the ability to predict different attack stages promptly.