Sphinx: a Colluder-Resistant Trust Mechanism for Collaborative Intrusion Detection

The destructive effects of cyber-attacks demand more proactive security approaches. One such promising approach is the idea of collaborative intrusion detection systems (CIDS s). These systems combine the knowledge of multiple sensors (e.g., intrusion detection systems, honeypots, or firewalls) to create a holistic picture of a monitored network. Sensors monitor parts of a network and exchange alert data to learn from each other, improve their detection capabilities and ultimately identify sophisticated attacks. Nevertheless, if one or a group of sensors is unreliable (due to incompetence or malice), the system might miss important information needed to detect attacks. In this paper, we propose Sphinx, an evidence-based trust mechanism capable of detecting unreliable sensors within a CIDS. The Sphinx detects, both, single sensors or coalitions of dishonest sensors that lie about the reliability of others to boost or worsen their trust score. Our evaluation shows that, given an honest majority of sensors, dishonesty is punished in a timely manner. Moreover, if several coalitions exist, even when more than 50% of all sensors are dishonest, dishonesty is punished.