Defense Strategies against Byzantine Attacks in a Consensus-Based Network Intrusion Detection System

• Published in: Informatica (Ljubljana) Vol. 41; no. 2; pp. 193 - 207
• Main Authors: Toulouse, Michel, Le, Hai, Phung, Cao Vien, Hock, Denis
• Format: Journal Article
• Language: English
• Published: Ljubljana Slovenian Society Informatika / Slovensko drustvo Informatika 01.06.2017
• Subjects: Communications traffic; Computer simulation; Cybersecurity; Denial of service attacks; Identification methods; Intrusion detection systems; Modules; Traffic information
• ISSN: 0350-5596; 1854-3871

The purpose of a Network Intrusion Detection System (NIDS) is to monitor network traffic such to detect malicious usages of network facilities. NIDSs can also be part of the affected network facilities and be the subject of attacks aiming at degrading their detection capabilities. The present paper investigates such vulnerabilities in a recent consensus-based NIDS proposal [1]. This system uses an average consensus algorithm to share information among the NIDS modules and to develop coordinated responses to network intrusions. It is known however that consensus algorithms are not resilient to compromised nodes sharing falsified information, i.e. they can be the target of Byzantine attacks. Our work proposes two different strategies aiming at identifying compromised NIDS modules sharing falsified information. Also, a simple approach is proposed to isolate compromised modules, returning the NIDS into a non-compromised state. Validations of the defense strategies are provided through several simulations of Distributed Denial of Service attacks using the NSL-KDD data set. The efficiency of the proposed methods at identifying compromised NIDS nodes and maintaining the accuracy of the NIDS is compared. The computational cost for protecting the consensus-based NIDS against Byzantine attacks is evaluated. Finally we analyze the behavior of the consensus-based NIDS once a compromised module has been isolated.