Generative Pattern Dissemination for Collaborative Intrusion Detection

New cyber security threats emerge dynamically, challenging conventional Intrusion Detection Systems, limited by isolated analysis, to maintain an updated decision base. Although Collaborative Intrusion Detection Systems improve attack detection performance by providing mechanisms for sharing and correlating analysis data, existing solutions neglect the aspect of a scalable dissemination of monitoring data. In this context, we present a novel approach that distributes network flow data among members in a group of cooperating infrastructures to enhance local data views while meeting requirements for low communication overhead, privacy and interoperability. Flows are partitioned using Locality Sensitive Hashing and persisted in a local data store by using the respective hash values. Gaussian Mixture Models are fitted on stored flows and the resulting model parameters are sent to a global data store, enabling members to locally reconstruct the corresponding models from which synthetic data can be sampled to improve local attack detection. Representing local data as model parameters significantly reduces the amount of data exchanged and ensures privacy. Associated processing latency is reduced by exploiting the parallelization enabled by data partitioning. Traffic classification experiments on multiple network security datasets show the superior performance of our approach in comparison to alternative scenarios.