Distributed intrusion detection systems (IDS) are primarily deployed across the network to monitor, detect, and report anomalies, as well as to respond in real-time. Predominantly, an IDS is equipped with a set of rules that it needs to infer to be able to perform efficient detection. However, reducing the generation of false alarms is a major challenge in any IDS implementation. Additionally, the sheer number of IoT devices that generate alarms in a moderately large sensor network may be overwhelming. In order to reduce alarms, this paper contributes to the field by proposing an original framework that limits the number of generated messages without compromising detection accuracy. The primary idea is to exploit mid-level nodes called collectors where similar alerts are collected and analyzed independently. Priority is assigned to each alert and similar alerts are fused to respective collectors for more informed decision making. In addition, Kademlia based Distributed Hash Table (DHT) is used for efficient alert transportation and distributed fusion of similar alerts. In order to minimize false alarm rate, event correlation is used to find similarity between events fused by different detection sensors. The framework is implemented in a fog-based environment to assess and evaluate the efficiency of the proposed system in edge network. The architecture is evaluated with the recognized DARPA 1999 dataset; the reported results show that the proposed technique reduces message generation by 62% while achieving false positive accuracy over 80%.

Prioritization and Alert Fusion in Distributed IoT Sensors Using Kademlia Based Distributed Hash Tables

Paolo Bellavista;
2020

Abstract

Distributed intrusion detection systems (IDS) are primarily deployed across the network to monitor, detect, and report anomalies, as well as to respond in real-time. Predominantly, an IDS is equipped with a set of rules that it needs to infer to be able to perform efficient detection. However, reducing the generation of false alarms is a major challenge in any IDS implementation. Additionally, the sheer number of IoT devices that generate alarms in a moderately large sensor network may be overwhelming. In order to reduce alarms, this paper contributes to the field by proposing an original framework that limits the number of generated messages without compromising detection accuracy. The primary idea is to exploit mid-level nodes called collectors where similar alerts are collected and analyzed independently. Priority is assigned to each alert and similar alerts are fused to respective collectors for more informed decision making. In addition, Kademlia based Distributed Hash Table (DHT) is used for efficient alert transportation and distributed fusion of similar alerts. In order to minimize false alarm rate, event correlation is used to find similarity between events fused by different detection sensors. The framework is implemented in a fog-based environment to assess and evaluate the efficiency of the proposed system in edge network. The architecture is evaluated with the recognized DARPA 1999 dataset; the reported results show that the proposed technique reduces message generation by 62% while achieving false positive accuracy over 80%.
2020
Mansoor Nasir; Khan Muhammad; Paolo Bellavista; Mi Young Lee; Muhammad Sajjad
File in questo prodotto:
File Dimensione Formato  
09169639.pdf

accesso aperto

Tipo: Versione (PDF) editoriale
Licenza: Licenza per Accesso Aperto. Creative Commons Attribuzione (CCBY)
Dimensione 7.46 MB
Formato Adobe PDF
7.46 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11585/788515
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 6
  • ???jsp.display-item.citation.isi??? 6
social impact