On Blockchain Architectures for Trust-based Collaborative Intrusion Detection
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
This paper is a preprint; it has been accepted for publication in 2019 IEEE World Congress on Services (SERVICES), 8-13 July 2019, Milan, Italy
IEEE copyright notice ©2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes,
creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
On Blockchain Architectures for Trust-based Collaborative Intrusion Detection
Nicholas Kolokotronis∗ , Sotirios Brotsis∗ , Georgios Germanos∗ , Costas Vassilakis∗ and Stavros Shiaeles†
∗ Department of Informatics and Telecommunications, University of Peloponnese, 22131 Tripolis, Greece
Email: {nkolok, brotsis, germanos, costas}@uop.gr
† Centre for Security, Communications and Networks Research, Plymouth University, Plymouth PL4 8AA, UK
Email: stavros.shiaeles@plymouth.ac.uk
Abstract—This paper considers the use of novel technologies Establishing and maintaining mutual trust between the
arXiv:2109.03635v1 [cs.CR] 8 Sep 2021
for mitigating attacks that aim at compromising intrusion IDS nodes is a prerequisite for maintaining a high-level
detection systems (IDSs). Solutions based on collaborative intru- of security, as nodes that turn malicious may degrade the
sion detection networks (CIDNs) could increase the resilience
against such attacks as they allow IDS nodes to gain knowledge overall security provided by a CIDN. To achieve this high-
from each other by sharing information. However, despite the level of security, continuous monitoring of nodes’ behavior
vast research in this area, trust management issues still pose is necessary, together with the implementation of a trust
significant challenges and recent works investigate whether model for mutual evaluation, based on previous behavior
these could be addressed by relying on blockchain and related [2]. Apart from the credibility of the CIDNs’ nodes, the
distributed ledger technologies. Towards that direction, the
paper proposes the use of a trust-based blockchain in CIDNs, trustworthiness of external hosts (IP sources) may also be
referred to as trust-chain, to protect the integrity of the measured. In this way, incoming traffic to the network can be
information shared among the CIDN peers, enhance their pre-filtered through packet filtering mechanisms and large-
accountability, and secure their collaboration by thwarting scale attacks, like DDoS attacks, can be more efficiently
insider attacks. A consensus protocol is proposed for CIDNs, mitigated [3]. Towards that direction, blockchain technology,
which is a combination of a proof-of-stake and proof-of-work
protocols, to enable collaborative IDS nodes to maintain a which has already found several applications in the security
reliable and tampered-resistant trust-chain. domain [4] could be combined with a CIDN in order to
achieve trusted distributed coordination needed among its
Keywords-Blockchain; security; collaborative intrusion de-
tection; trust management; insider threats. IDS peers [5], [6].
In this paper, we propose an novel architecture for a
distributed CIDN that includes mechanisms for evaluating
I. I NTRODUCTION the credibility of a CIDN’s nodes and realizing trust-based
Cyber-security is an increasingly important aspect in the packet filtering of incoming traffic by external IP sources,
era of the Internet of things (IoT). The highly complex depending on the trustworthiness of the latter. These mech-
ecosystem of billions heterogeneous devices of weak se- anisms are supported by blockchain technology, so as to
curity defenses may be exploited by attackers to launch ensure transparency and accountability, whilst improving
distributed denial of service (DDoS) attacks, to steal per- robustness against insider threats, as the integrity of in-
sonal data or gain full access and control to networks. formation shared among the IDS nodes is guaranteed. Our
Such incidents are getting more sophisticated and take place contributions are summarized as follows.
on a continuous and non-discriminatory basis. Intrusion • A new trust management scheme is proposed that can
detection systems (IDSs) constitute the basic line of defense be used in a CIDN to evaluate the credibility of IDS
against cyber-attacks, as they can detect suspicious behavior peers and the trustworthiness of external IP sources.
and deliver informative security alerts. For the recognition The modeling of trust allows weighting differently the
of large-scale and complex attacks, collaboration among recently observed behavior, as in [7], to adjust trust
the stand-alone IDSs has been developed [1]. The term model’s sensitivity to behavioral variations.
collaborative intrusion detection networks (CIDNs) refers to • A blockchain solution is designed for storing the trust
such network of communicating IDSs that exchange security scores disseminated by the CIDN nodes along with
alerts and other data, where the credibility of peers in a evidence justifying these scores to enhance the overall
CIDN is crucial. security and identify misbehaved IDS nodes.
• A novel consensus protocol is proposed that combines
This project has received funding from the European Union’s proof-of-work and proof-of-stake protocols, based on
Horizon 2020 research and innovation programme under grant [8], [9], [10], and [11], to facilitate the secure mainte-
agreement no. 786698. The work reflects only the authors’ nance of the blockchain by the CIDN nodes.
view and the Agency is not responsible for any use that may be made of
the information it contains. The rest of the paper is organized as follows. In Section IITraffic
we provide the background on intrusion detection systems,
Normal
collaborative intrusion detection and blockchain technology. Malicious network
Section III formalizes the proposed architecture for a trust- CIDN
CIDN
based and blockchain-enhanced CIDN. Section IV presents
in more detail our approach on achieving consensus among
the CIDN peers on the information stored on the blockchain. network
network
Section V presents how our model reacts in an adversarial Internet
environment and Section VI summarizes our contributions NIDS
and outlines future work directions. network HIDS
II. BACKGROUND AND RELATED WORK
This section provides background information on col- Figure 1. Example of a distributed CIDN topology.
laborative intrusion detection, trust management schemes
and their applications in CIDNs, as well as, on blockchain
protocols and consensus mechanisms along with the recent of such attacks within a distributed CIDN, it is suggested
proposals for their use in CIDNs. that information from only trusted peers should be taken
into account. Thus, different schemes of trust management
A. Collaborative intrusion detection among CIDN nodes have been developed. Duma et. al
Intrusion detection systems are widely used to ensure the [18] suggested that the IDS nodes continuously monitor the
security of networks and hosts by collecting and analyzing behavior of their CIDN peers and evaluate the quality of the
data for ongoing threats. Detection by an IDS may be either security-related information that they share to estimate their
anomaly-based or signature-based [12], [13]. IDSs may also credibility. Then, any data contributed by a CIDN node is
be classified into host-based (HIDS), where only one device taken into consideration depending on the node’s calculated
is monitored, and network-based (NIDS), where the network credibility.
traffic is monitored and analyzed [5]. Nevertheless, as stand- Apart from measuring the credibility of a CIDN’s nodes,
alone IDSs are not able to identify large-scale attacks, the calculating and maintaining the trustworthiness of external
use of CIDNs has been proposed [14]. A CIDN consists IP sources has also been proposed [3]. By filtering their
of several monitors, for collecting and sharing security- incoming packets according to a collaborative trust-based
related data, as well as analysis units for extracting threat scheme, large-scale DDoS attacks can be mitigated. The
intelligence information [15]. packet filtering mechanism is based on maintaining a table
There are three widely adopted architectures concerning of blacklisted (i.e. untrusted) IP sources whose packets
the deployment of CIDNs, namely centralized, decentralized are immediately dropped, without further inspection and
and distributed [16]. Nodes of a centralized CIDN are analysis, thus reducing the workload of detection units. The
only connected to a central unit that is responsible for challenge in the case of distributed CIDNs is that there is
the analysis of the collected data. If this single unit stops no central trusted authority to support the establishment of
functioning, then the overall protection system collapses; trusted coordination between the CIDN peers [6]. In the
this is the case of a single point of failure (SPoF) [14]. sequel, we address this challenge by proposing a solution
A decentralized CIDN consists of nodes with a topological that relies on the blockchain technology, in order to secure
structure (e.g. hierarchical), so that the analysis units work the information on the trustworthiness of external hosts
as filters forwarding correlated data to the higher levels of shared by CIDN peers.
the network; bottlenecks have also been observed in such
C. Distributed ledgers
architectures. On the other hand, the nodes of a distributed
CIDN, as illustrated in Fig. 1, are designed to both collect The blockchain was introduced with the Bitcoin as part of
and analyze data; therefore, all the CIDN nodes have the the solution that tackles in a distributed fashion the double-
ability to communicate in a peer-to-peer (P2P) fashion spending problem in a trustless P2P network [10]. To achieve
and achieve significant performance gains towards detecting this, the solution relies on cryptographic schemes ensuring
attacks [17]. the immutability of the data records that are stored on the
distributed ledger, referred to as transactions Tx. Moreover,
B. Trust management a security through transparency approach is taken, based on
Several types of insider attacks are encountered within which all nodes’ transactions are publicly announced, hence
the CIDN framework, the predominant of which is that allowing anyone to verify their validity. A hash function, e.g.
of malicious nodes that on purpose share fake data with SHA–256, is the core cryptographic primitive upon which
their peers to significantly deteriorate the performance of the the security of the whole blockchain construction relies.
CIDN, and thus a network’s security [14]. For the mitigation Hash functions are involved in digitally signing Tx withthe private key of the originator (a CIDN peer in our collaborative trust-based packet filtering
context); therefore, its authenticity is verified by using the trust CIDN
intrusion detection
monitoring engine
CIDN calculation collaboration
associated public key that is also included in the blockchain. engine component
A number of new Tx is packed into a block, containing links
to past Tx appearing on the blockchain, and is subsequently blacklisted IPs trust
lookup table chain
appended to the structure. In addition to the above, a
trust-based blockchain
block commonly includes the hash of the previous block, a packet filter consensus
timestamp proving that the data to store exist at a particular
alerts
time instant and are authentic, as well as, a Nonce value that
is used according to the consensus mechanism.
The mutual agreement on the validity of a newly created Internet network
block is performed according to a consensus protocol. This traffic
NIDS
also ensures that tampering or removal of the blocks on the
ledger is impossible, thus making the whole data structure Figure 2. High-level view of the collaborative trust-based IDS, enriched
immutable. There is a plethora of different mechanisms that with a trust-chain.
have been proposed for achieving consensus; the protocols
being relevant to this work are proof-of-work [10] and proof-
of-stake [11], [19]. engine is used to keep track of the behavior of the various
Once transactions are validated and inserted into a block, entities involved (members of N and M ), while the packet
it is exponentially hard for an adversary to alter the contents filter is the component where incoming data filtering takes
of that block after it is being appended to the blockchain. In place. Part of the latter are also a list of blacklisted IP
fact, the success probability of such an attack exponentially addresses and a set of signatures, against which the incoming
decreases with the number of blocks that have to be altered packets are compared to. Incoming packets may be dropped
by an adversary targeting at a specific block of some depth if their source IP address is blacklisted. In addition, the
in the chain [20]. The maintenance of the ledger, i.e. the trust calculation engine continuously updates the blacklist by
validation of new transactions, their aggregation into blocks, collecting alerts from the detector and side information from
and the chaining with the structure, is carried out by a class the CIDN peers about the trustworthiness of the external
of network nodes (i.e. a subset of the CIDN in our context) host. The binary decision on inclusion or exclusion of the
that depends on the type of the blockchain. Distributed host into the blacklist, thus its trustworthiness, relies on
ledgers can be classified as permissionless or permissioned the comparison against a threshold ζ ∈ (0, 1). Therefore,
depending on whether the block generation process is open the IDS node handles only the accepted packets, practically
to all network nodes. reducing the load of an IDS during operation. The collab-
oration component communicates with the other peers to
III. P ROPOSED ARCHITECTURE transfer security-related data.
In this section we present the proposed distributed CIDN The last component, which is a key contribution of this
model for realizing a trust-based packet filtering mechanism work on the CIDN architecture proposed in [3], is the so-
that relies on the blockchain technology is presented. called trust-chain. It is comprised by the specific blockchain
structure along with the associated consensus protocol that
A. CIDN model are described in detail in Sections III-C and IV respectively.
Let us assume a CIDN whose members, i.e. the peer IDS This structure is where the information shared about the
nodes, comprise the set N . Furthermore, let M be the set of trustworthiness of the external hosts is stored.
the external network hosts (in the form of IP addresses) that
B. Trust engine
are collectively monitored by the CIDN. We use Mi ⊆ M to
denote the subset of IPs monitored by the IDS node i ∈ N , In order to deal with internal and external attacks from
and we define Ni = N \ {i}. The high-level architecture is misbehaving nodes, two types of trust scores are considered
illustrated in Fig. 2, where the primary building blocks of the that characterize the credibility of an IDS peer (member of
proposed solution are: (a) the intrusion detection monitoring the CIDN) and the trustworthiness of an external host. The
engine; (b) the CIDN collaboration component; (c) the trust above notions were also used in [14], [2], but the subsequent
calculation engine; (d) the trust-based packet filter; and (e) formulation of the trust model differs in many aspects. To be
the blockchain component referred to as trust-chain. more precise, main design choices of [7] are adopted as the
The baseline functionality of an IDS, part of a CIDN, is trust model proposed therein was shown to be quite robust
structured upon the first two components, the intrusion de- in an adversarial environment. The parameters used are
tection monitoring engine and the collaboration component. • the forgetting factor λ ∈ (0, 1) controlling the weight
Similarly to the scheme proposed in [3], the trust calculation given to past behavior;• the severity level φ > 0 defining the punishment of an packet is normal or malicious. At regular intervals, every n
IDS node that avoids giving feedback to challenges; data packets, the trust calculation engine computes a belief
• the credibility threshold θ ∈ (0, 1) that determines the about the type of the next packet; assuming that k out of the
IDS nodes whose data on the trust-chain are trusted; n packets were detected to be normal, then the probability
• the initial trust score τ ∈ [0, 1] assigned to a new IDS
that the (n + 1)th packet is normal equals [3]
node when entering the CIDN network. trj (ip) = Pr(n + 1 = normal k normal )
The credibility of an IDS node i ∈ N relies on its responses 1+k (5)
to challenges (alert priorities) that are sent out periodically =
2+n
following a probability distribution and are indistinguishable
from real alerts. The format of the challenges may adhere to when the distribution of observing k normal packets (out of
the intrusion detection message exchange format (IDMEF) the n packets) is the Binomial distribution. This score is the
standard [21]. The responses given to these challenges are observation of the IDS node j, as measured during the last
used to compute the requesting node’s j satisfaction level monitoring interval, and is referred to as the instantaneous
satj (i) ∈ [0, 1], which depends on the gap between the trust score trj (ip) ∈ (0, 1) of the external host ip. Likewise,
actual and the expected responses [14], [2]. These values are the IDS node j may calculate the long-term or accumulated
combined using a forgetting factor to derive an accumulated trust score trids
j (ip) of the host using the expression
satisfaction level γj (i) ∈ [0, 1] as follows
trids ids
j (ip) = 1 − λ · trj (ip) + λ · trj (ip) (6)
γj (i) = 1 − λ · satj (i) + λ · γj (i) , i ∈ Nj . (1)
that incorporates the past knowledge that the IDS has about
Honest IDS nodes always respond correctly to challenges, if the particular host. However, in order to take advantage of
information about the matched item exists, or they respond the collective knowledge that the whole CIDN has about ip,
with Unsure otherwise. Let us define the variable ansj (i) ∈ the IDS node j utilizes the individual trust scores that have
{0, 1} that equals 1 if and only if an Unsure response is been computed locally by other credible peers of the CIDN.
given by the IDS node i to j. To avoid having malicious IDS This process yields the combined trust score trcidn (ip) whose
j
nodes abuse the ability to respond with Unsure, instead of computation is based on the weighted combination
forcing to guess the challenge’s correct answer (thus leading X
to a decreased satisfaction level), the quantity αj (i) ∈ [0, 1] trcidn
j (ip) = wj (i) · trids
i (ip) (7)
is computed recursively by the expression i∈N
αj (i) = 1 − λ · ansj (i) + λ · αj (i) , i ∈ Nj (2) summarizing the trustworthiness of host ip using the CIDN’s
knowledge, as aggregated by the IDS node j. In the final
and accounts for the percentage of the Unsure responses that step of the above process, the IDS updates its internal value
IDS node i gives to j. Then, according to j, the credibility trids
j (ip) with the one computed in (7). The host’s IP is added
crdj (i) ∈ [0, 1] of the IDS node i is computed based on the to the blacklist if trids
j (ip) ≤ ζ, and excluded otherwise.
severity of punishment φ for providing Unsure answers
The above sequence of steps is also illustrated in Alg. 1;
φ this is a typical adopt-then-combine scenario for performing
crdj (i) = 1 − αj (i) · γj (i) − τ + τ , i ∈ Nj (3)
in-network processing in diffusion networks, an approach
whereas crdj (j) = 1, for all j ∈ N , by definition. From (3) that has proven to be resilient in adversarial environments
we obtain that crdj (i) = τ when the IDS node i constantly [7]. Two phases have been realized in Alg. 1: during the first
responds with Unsure. Assuming that only IDS peers whose phase, the IDS nodes augment the local knowledge about
credibility exceeds a threshold θ are taken into account when an external host and disseminate it in the CIDN, whereas
incorporating the knowledge acquired by the whole CIDN, in the second phase, the IDS nodes aggregate the updated
the relative weight given by j to the IDS node i ∈ N is knowledge (in the form of a trust score) received from their
peers. In the sequel, this algorithm is extended in order to
0 ,
, if crdj (i) < θ
allow a secure realization of the information sharing via the
wj (i) = crdj (i)
X
crdj (l) , otherwise (4) trust-chain.
l∈N :
crdj (l)≥θ C. Trust-chain structure
P
where we clearly have i∈N wj (i) = 1 amongst the nodes In order to provide a more accountable trust management
comprising the collaborative intrusion detection network N . framework, the IDS node j retains some evidence evj (ip)
In order to determine the trustworthiness of an external after measuring the trustworthiness of an external host ip to
host ip ∈ Mj , the IDS node j monitors the traffic that is justify the scoring (e.g. alerts having been disseminated to
received by the particular host and detects whether a data the CIDN during the previous monitoring interval). Hence,Algorithm 1. Distributed computation of IPs’ trust in a CIDN in a typical Algorithm 2. Distributed computation of IPs’ trust in a CIDN with the
adaptive diffusion scenario. use of trust-chain.
input: CIDN nodes N , list of IPs M input: CIDN nodes N , list of IPs M
initialization: trids
j (ip) ← τ . ∀ j ∈ N, ip ∈ Mj initialization: trids
j (ip) ← τ . ∀ j ∈ N, ip ∈ M
1: for t ← 1, 2, . . . do 1: for t ← 1, 2, . . . do
2: for all j ∈ N, ip ∈ Mj do 2: for all j ∈ N do
3: measure trj (ip) . from (5) 3: for all ip ∈ Mj do
4: update accumulated trids
j (ip) . from (6) 4: measure trj (ip) . from (5)
5: send trids
j (ip) . to all i ∈ N 5: update accumulated trids
j (ip) . from (6)
6: end 6: end
7: build Txj from Cj , Lj , Ej
7: for all j ∈ N, ip ∈ Mj do
8: broadcast Txj . to all i ∈ N
8: receive trids
i (ip) . from all i ∈ N
9: end
9: compute combined trcidn j (ip) . from (7)
10: trids
j (ip) ← tr cidn
j (ip) 10: generate block B . from (10)
11: end 11: manage trust-chain . consensus protocol
12: end 12: for all j ∈ N do
output: trids
j (ip) . ∀ j ∈ N, ip ∈ Mj 13: extract Txi from B . from all i ∈ N
14: read Ci , Li , Ei from Txi
15: for all ip ∈ Mj do
the IDS node j ∈ N maintains the following lists 16: compute combined trcidn j (ip) . from (7)
17: trids
j (ip) ← tr cidn
j (ip)
Cj = crdj (i) : i ∈ Nj 18: end
Lj = trids end
(ip) : ip ∈ Mj (8) 19:
j 20: end
Ej = evj (ip) : ip ∈ Mj
output: trids
j (ip) . ∀ j ∈ N, ip ∈ M
in addition to the IDS nodes in Nj and external hosts in Mj
that are monitored. The transaction Txj is disseminated to
all CIDN members, when differences on the credibility of
last block on the trust-chain, a counter ctr ≤ q (where q is
the IDS nodes or the trust-scores of the IP hosts occur, (see
the maximum number of attempts to generate a block) and
step 8 of Alg. 2) and has the following structure
a target value Vids . Thus, the header is structured as
Txj = IDTx || IDids || Nj ||Cj || Mj ||Lj ||Ej || SigTx . HdrB = IDB || IDids || Stamp || Hashold || ctr ||Vids (11)
Each transaction Txj is given a unique identifier IDTx where Vids , along with other information, allows members of
and apart from the lists, which constitute the transactions’ the CIDN to validate the credibility of the IDS node acting as
payload, information is embedded about the identity IDids of a leader and generating the block B. The trust-chain secure
the IDS and the signature SigTx that is computed with the process of sharing information on credibility, trustworthiness
IDS node’s private key. All the transactions in the CIDN and the associated evidence is illustrated in Alg. 2.
during the last monitoring period are denoted as
IV. T RUST- CHAIN ’ S CONSENSUS
Tx = {Txj : j ∈ N } (9) In this section we present the details of electing an IDS
gathering the information that is disseminated to the CIDN. node that is credible enough for generating the next block in
A number of IDSs having been found to be credible nodes, the trust-chain. We propose a solution combining the PoW
attempt to generate the new block B that will be appended and PoS protocols to achieve consensus [22], [8], where the
into the trust-chain and then validated by all the CIDN. This PoS protocol extends that of Nxt [11]. High-level functions
process is detailed in Section IV and corresponds to step 11 that realize the core functionality of the proposed solution
of Alg. 2. The block B, which is comprised of a header and are presented below.
a payload (i.e. all the transactions Tx defined in (9))
CheckEligibility IDj , D, crd(j), Hashold , Tx checks if an
B = HdrB || Tx (10) IDS node j is eligible for generating the next block; it
takes as input the identity of the IDS, a system parameter
is signed with the leader’s private key. The block’s header D, the average credibility placed on j from the CIDN,
HdrB contains information on the block’s unique identifier the hash value of the previous block and the payload; it
IDB , the leader’s identity IDids , a time-stamp that verifies computes a hash value Gj that is used next and outputs
the block’s generation time Stamp, the hash Hashold of the a Boolean value (True or False).GenerateBlock Gj , Stamp, ctr, D0 , Stakej , Timej
adds a To achieve consensus, the IDS nodes brute-force (14) using
new block B in the trust-chain; the input to this function the available computational resources by continuously trying
are the hash value Gj provided by the CheckEligibility different values for ctr and comparing the first r bits of the
function, a time-stamp verifying the block’s generation hash resulting from H(·) with Vj , where
time, a counter ctr, a target value D0 (different from D),
the jth node’s stake Stakej , and the time elapsed Timej Vj = D0 · Stakej · Timej . (15)
since the last block generated by j. It outputs a Boolean Then, an IDS node j generates the next block if and only if
value (True or False). both (13), (14) hold. In addition to the time elapsed since the
ValidateBlock B, D, D0 with input the block B and the
IDS node j has generated the last block, its winning chance
target difficulties D, D0 , validates block B and returns is linked to its ability in detecting the trustworthiness of the
True if and only if the output of the CheckEligibility and external hosts monitored so as to improve the accuracy of
the GenerateBlock functions are both True. the trust-based packet filter employed by each CIDN node.
Resolve fork1 , . . . , forkz
returns the unique fork to work This is captured by the uncertainty that the IDS j has when
on, assuming that a number z of forks has been detected. assigning a trust score x = tridsj (ip). Thus, we let
This is the case where multiple IDS nodes satisfy the
X
Stakej = 1 − H2 (x) (16)
conditions of the election process for generating the next x∈Lj
block.
where the index x runs through all the trust scores in the list
According to the philosophy of PoS (resp. PoW) protocols, Lj while H2 (x) = −x log2 (x) − (1 − x) log2 (1 − x) is the
the node with the highest stake (resp. computational power) binary entropy function. By definition, the closer to 1/2 the
is more likely to generate the next block. The combination trust scores in Lj are, the less useful they will be in arguing
of PoW and PoS protocols in trust-chain leads to a hybrid about the trustworthiness of a host.
mining-election method for achieving consensus, where the Since a combined PoW and PoS consensus protocol is
likelihood of a credible IDS j being elected as the leader proposed, a new block is more accurate if it is generated by
increases with both its computational power and stake. This a credible node. Furthermore, the efficiency of the leader to
explains the inclusion of a counter ctr into the block B as monitor and calculate the trust values of the external hosts is
given in (11). The advantage of the combination is that it more important than its computational power. Therefore, the
prevents situations in which a credible IDS node with large wining chain, when forks occur, is the one that possesses the
stake is in position to ceaselessly generate all the blocks. highest accumulated stake by the most credible nodes and
In the context of collaborative intrusion detection that is thus avoid insider attacks based on computational power.
based on credibility placed between IDS nodes, each peer
can take advantage of its behavior and its contribution to the V. D ISCUSSION ON TRUST- CHAIN ’ S SECURITY
CIDN. The information in the list Cj , maintained by every A trust management scheme combined with the properties
IDS node j on the other peers’ credibility, is disseminated to of the blockchain can adequately improve the collaboration
the CIDN through the trust chain and the average credibility among IDS nodes. Nevertheless, malicious behavior, can
score for j ∈ N is then computed as follows possibly degrade the efficiency of the entire system. In this
section, we describe a number of attacks and present how
1 X
the proposed system provides proper defenses against them.
crd(j) = 1+ crdl (j) (12)
|N | Thwarting insider attacks is a challenging task in collabora-
l∈Nj
tive security mechanisms; they distribute false information to
at each time interval. It is then used to decide whether j is manipulate the outcome of a system’s or peer’s aggregation
considered to be credible enough by the whole CIDN to be function. Attackers may penetrate a CIDN while acting as
elected as a leader for the next block generation. Thus, IDS credible parties, to perform some security-related tasks, and
node j first computes the output Gj of a hash function G(·) thus disturb and obstruct the normal decision-making of the
and then checks if the credibility condition is satisfied whole system. These attacks may be categorized according
Gj = G IDj , Hashold , Tx < D · crd(j) (13) to three different criteria.
• Type of attack: the attacks can be subdivided into (a)
based on a target D and the average credibility score placed those targeting at the identities of the CIDN nodes, (b)
on node j by the CIDN. Note that it is important to adjust those being related to the data exchanged amongst the
D as a loose difficulty target so as to allow many IDS nodes nodes, and (c) the attacks that target the routing of data
with high average credibility to participate in the following among the nodes.
process and satisfy the mining-election condition
• Attacker’s behavior: in case of multiple attackers, they
Prefix H Gj , Stamp, ctr , r < Vj . (14) can either act independently, i.e. the malicious actionstaken serve each attacker’s own purposes, or they may a group of malicious nodes works together may have a great
collaborate with each other, leading to collusive attacks. impact on the security of the network and the blockchain.
• Attacker’s intelligence: in the simplest scenario and in Adversarial nodes can use their resources and become the
most works in the literature, the attackers’ behavior is only block generators in the network thus forcing the honest
static as they just repeat a particular type of malicious nodes to work for nothing [20]. However in our hybrid PoW
action. At the extreme end, attackers can be intelligent and PoS protocol, the adversary needs to control not only a
and they change their tactics strategically to avoid being great portion of the hashing power, but also a large portion
detected or to maximize the attack’s impact. Finally, the of the total network’s stake and the majority of credible IDS
attackers may behave irrationally, thus preventing their nodes. Each valid block has to be created by an authenticated
behavior being predicted. and credible IDS node based on different parameters (stake,
hashing power, as well as time elapsed since the last block
The proposed solution relies on blockchain technology to creation). In the worst case scenario, where an adversary is
build the so-called trust-chain, which aims at protecting the able to create a malicious block and fork the trust-chain, the
integrity of the information shared among the CIDN peers, Resolve function is utilized and returns the fork created by
enhance their accountability, and secure their collaboration the most credible nodes with the highest accumulated stake.
by thwarting insider attacks. The proposed consensus proto- Therefore, a collusion attack is highly unlikely to occur.
col, which is a combination of the PoS and PoW protocols, Since the security of the proposed blockchain mechanism
enables collaborative IDS nodes to maintain a reliable and is of utmost importance, a plethora of fundamental properties
tampered-resistant trust-chain. The prominent attacks in our need to hold, such as persistence, liveness, chain quality, and
setup include Sybil, betrayal and collusion attacks. the common prefix property [4], [24]; their formal analysis
In a Sybil attack, malicious IDS nodes create several fake is outside the scope of the present work and constitutes part
identities to gain larger influence on alert dissemination and of ongoing research. If all true, the ability of the adversaries
aggregation and block the propagation of certain messages to alter trust-chain’s evidentiary data would be considerably
[14], [20]. In our system, the IDS members are authenticated limited.
and newcomers (possibly fake nodes) have to contribute to
the CIDN to gain credibility before given the opportunity to VI. C ONCLUSIONS
generate the next block of the trust-chain. Assuming that all In this paper, a distributed trust management framework
IDS nodes have the same hashing power, then the probability for CIDNs was proposed. More precisely, each IDS shares
that one is elected to generate the next block is proportional trust-related information about IDS nodes and external hosts
to its stake as well as the average credibility placed on it by with other CIDN members by using an adopt-then-combine
the CIDN. approach; this information is securely aggregated according
During a betrayal attack, a (usually highly) credible node to the source IDS’s credibility, which is computed based on
gets compromised and subsequently turns malicious. Then, the responses given to challenges. The security-related data
it can either act independently or in collaboration with other that have to be exchanged between members of the CIDN
malicious IDS nodes [23]. To defend this attack, a forgetting is stored on a blockchain, referred to as trust-chain, to avoid
factor and a severity punishment are implemented into our tampering from malicious nodes. A combined PoW and PoS
scheme so that the credibility of a malicious node drops fast protocol was proposed, according to which a credible IDS
enough after few abnormal actions. In this case, the average node with higher computational power and larger stake has
credibility placed on a specific peer is reduced, abbreviating an increased probability of being elected for the generation
its opportunity to create the next block. In addition, a counter of the next block.
ctr has been included in the block generation process so as Ongoing work focuses on the theoretical aspects of secu-
to enable the participation of only credible IDS nodes, while rity, namely to study a series of attacks having been reported
preventing nodes with large stake from generating sequences in both domains (trust management and blockchain), so as to
of consecutive blocks in the trust-chain. fully understand the impact of various parameter choices on
In a collusion attack a set of dishonest IDS nodes might the proposed solution’s security and the dynamics governing
cooperate to tamper the trust-chain. This can be done either the trust score evolution. Simulations on the proposed system
by intentionally broadcasting malicious messages (i.e. alerts, and privacy issues are open problems that will be presented
trust-scores about the IP hosts and the IDS nodes and false in detail in a forthcoming work.
evidence) throughout the CIDN network, or by using their
power (hashing or stake) to generate an adversarial block. R EFERENCES
In the first case, each IDS depends on its own experience
[1] G. Meng, Y. Liu, J. Zhang, A. Pokluda, and R. Boutaba,
to unmask the adversaries using challenges (test messages, “Collaborative security: A survey and taxonomy,” ACM
priority alerts), that are sent in a random way and are difficult Computing Surveys, vol. 48, no. 1, pp. 1–42, Jul. 2015.
to be distinguished by actual alerts. On the other hand, when [Online]. Available: https://doi.org/10.1145/2785733[2] C. J. Fung, O. Baysal, J. Zhang, I. Aib, and R. Boutaba, [13] S. Axelsson, “Intrusion detection systems: A survey and
“Trust management for host-based collaborative intrusion taxonomy,” Chalmers University of Technology, Technical
detection,” in 2008 Int’l Workshop on Distributed Systems: Report No. 99-15, Mar. 2000. [Online]. Available: https:
Operations and Management — DSOM. Springer, 2008, //sites.google.com/site/drstefanaxelsson/taxonomy.pdf
pp. 109–122. [Online]. Available: https://doi.org/10.1007/
978-3-540-87353-2 9 [14] C. J. Fung, “Collaborative intrusion detection networks
and insider attacks,” Journal of Wireless Mobile Networks,
[3] W. Meng, W. Li, and L. F. Kwok, “Towards effective trust- Ubiquitous Computing, and Dependable Applications, vol. 2,
based packet filtering in collaborative network environments,” no. 1, pp. 63–74, Mar. 2011. [Online]. Available: https:
IEEE Transactions on Network and Service Management, //doi.org/10.22667/JOWUA.2011.03.31.063
vol. 14, no. 1, pp. 233–245, 2017. [Online]. Available:
https://doi.org/10.1109/TNSM.2017.2664893 [15] Y.-S. Wu, B. Foo, Y. Mei, and S. Bagchi, “Collaborative intru-
sion detection system (CIDS): A framework for accurate and
[4] A. Kiayias, A. Russell, B. David, and R. Oliynykov, efficient IDS,” in 19th Annual Computer Security Applications
“Ouroboros: A provably secure proof-of-stake blockchain Conference — ACSAC. IEEE, 2003, pp. 234–244.
protocol,” in Advances in Cryptology — CRYPTO 2017.
Springer, 2017, pp. 357–388. [Online]. Available: https: [16] E. Vasilomanolakis, S. Karuppayah, M. Mühlhäuser, and
//doi.org/10.1007/978-3-319-63688-7 12 M. Fischer, “Taxonomy and survey of collaborative intrusion
detection,” ACM Computing Surveys, vol. 47, no. 4, pp. 1–33,
[5] N. Alexopoulos, E. Vasilomanolakis, N. R. Ivanko, and 2015. [Online]. Available: https://doi.org/10.1145/2716260
M. Mühlhäuser, “Towards blockchain-based collaborative
intrusion detection systems,” in 12th Int’l Conference on [17] M. E. Locasto, J. J. Parekh, A. D. Keromytis, and S. J. Stolfo,
Critical Information Infrastructures Security — CRITIS. “Towards collaborative security and P2P intrusion detection,”
Springer, 2017, pp. 107–118. [Online]. Available: https: in 6th IEEE SMC Information Assurance Workshop —
//doi.org/10.1007/978-3-319-99843-5 10 IAW. IEEE, 2005, pp. 333–339. [Online]. Available:
https://doi.org/10.1109/IAW.2005.1495971
[6] W. Meng, E. W. Tischhauser, Q. Wang, Y. Wang, and J. Han,
“When intrusion detection meets blockchain technology: [18] C. Duma, M. Karresand, N. Shahmehri, and G. Caronni,
A review,” IEEE Access, vol. 6, pp. 10 179–10 188, Mar. “A trust-aware, P2P-based overlay for intrusion detection,”
2018. [Online]. Available: https://doi.org/10.1109/ACCESS. in 17th Int’l Workshop on Database and Expert Systems
2018.2799854 Applications — DEXA. IEEE, 2006, pp. 692–697. [Online].
Available: https://doi.org/10.1109/DEXA.2006.21
[7] K. Ntemos, J. Plata-Chaves, N. Kolokotronis, N. Kalouptsidis,
and M. Moonen, “Secure information sharing in adversarial [19] W. Li, S. Andreina, J.-M. Bohli, and G. Karame,
adaptive diffusion networks,” IEEE Transactions on Signal “Securing proof-of-stake blockchain protocols,” in 2017 Int’l
and Information Processing over Networks, vol. 4, no. 1, Workshop on Cryptocurrencies and Blockchain Technology
pp. 111–124, March 2018, Special issue: distributed signal — CBT. Springer, 2017, pp. 297–315. [Online]. Available:
processing for security and privacy in networked cyber- https://doi.org/10.1007/978-3-319-67816-0 17
physical systems. [Online]. Available: https://doi.org/10.1109/
[20] I. Eyal and E. G. Sirer, “Majority is not enough:
TSIPN.2017.2787910
Bitcoin mining is vulnerable,” in 2014 Int’l Conference
[8] T. Duong, L. Fan, and H.-S. Zhou, “2-hop blockchain: on Financial Cryptography and Data Security — FC.
Combining proof-of-work and proof-of-stake securely,” Springer, 2014, pp. 436–454. [Online]. Available: https:
Cryptology ePrint Archive, Report 2016/716, 2016. [Online]. //doi.org/10.1007/978-3-662-45472-5 28
Available: https://eprint.iacr.org/2016/716 [21] H. Debar, D. Curry, and B. Feinstein, “The intrusion
[9] T. Duong, A. Chepurnoy, L. Fan, and H.-S. Zhou, detection message exchange format (IDMEF),” IETF Network
“Twinscoin: A cryptocurrency via proof-of-work and proof- Working Group, RFC 4765, 2007. [Online]. Available:
of-stake,” in Proceedings of the 2Nd ACM Workshop https://www.ietf.org/rfc/rfc4765.txt
on Blockchains, Cryptocurrencies, and Contracts, ser. [22] I. Bentov, C. Lee, A. Mizrahi, and M. Rosenfeld, “Proof
BCC ’18, 2018, pp. 1–13. [Online]. Available: http: of activity: Extending Bitcoin’s proof of work via proof of
//doi.acm.org/10.1145/3205230.3205233 stake,” ACM SIGMETRICS Performance Evaluation Review,
vol. 42, no. 3, pp. 34–37, 2014. [Online]. Available:
[10] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash
https://doi.org/10.1145/2695533.2695545
system,” 2008. [Online]. Available: https://bitcoin.org/bitcoin.
pdf [23] C. Duma, M. Karresand, N. Shahmehri, and G. Caronni,
“A trust-aware, p2p-based overlay for intrusion detection,” in
[11] Nxt Community, “Nxt whitepaper,” Revision 4 – Nxt v1.2.2,
17th International Workshop on Database and Expert Systems
2014. [Online]. Available: https://bravenewcoin.com/assets/
Applications (DEXA’06). IEEE, 2006, pp. 692–697.
Whitepapers/NxtWhitepaper-v122-rev4.pdf
[24] J. Garay, A. Kiayias, and N. Leonardos, “The bitcoin back-
[12] P. Garcia-Teodoro, J. Diaz-Verdejo, G. Maciá-Fernández, and
bone protocol: Analysis and applications,” in Advances in
E. Vázquez, “Anomaly-based network intrusion detection:
Cryptology - EUROCRYPT 2015, E. Oswald and M. Fischlin,
Techniques, systems and challenges,” Computers & Security,
Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2015,
vol. 28, no. 1, pp. 18–28, 2009. [Online]. Available:
pp. 281–310.
https://doi.org/10.1016/j.cose.2008.08.003You can also read
