Dependency-Based Distributed Intrusion Detection

Overview

Distributed network intrusion detection has attracted much attention recently. The main focus in this work is on zero-day, slow-scanning worms, of which no existing signatures are available. End hosts are organized into regions based on network knowledge, which it posits is positively correlated to the dependency structure. Leveraging on this organization, different intrusion detection techniques are applied within and across regions. A Hidden Markov Model (HMM) is used within a region to capture the dependency among hosts, and use Sequential Hypothesis Testing (SHT) globally to take advantage of the independence between regions.