Abstract
1. Introduction
2. Related work
3. Our approach
4. Evaluation
5. Discussion and limitations
6. Conclusion
Acknowledgments
References
Abstract
With the rapid development of Internet-of-Things (IoT), there is an increasing demand for securing the IoT environments. For such purpose, intrusion detection systems (IDSs) are one of the most important security mechanisms, which can help defend computer networks including IoT against various threats. In order to achieve better detection performance, collaborative intrusion detection systems or networks (CIDSs or CIDNs) are often adopted in a practical scenario, allowing a set of IDS nodes to exchange required information with each other, e.g., alarms, signatures. However, due to the distributed nature, such kind of collaborative network is vulnerable to insider attacks, i.e., malicious nodes can generate untruthful signatures and share to normal peers. This may cause intruders to be undetected and greatly degrade the effectiveness of IDSs. With the advent of blockchain technology, it provides a way to verify shared signatures (rules). In this work, our motivation is to develop CBSigIDS, a generic framework of collaborative blockchained signature-based IDSs, which can incrementally build and update a trusted signature database in a collaborative IoT environment. CBSigIDS can provide a verifiable manner in distributed architectures without the need of a trusted intermediary. In the evaluation, our results demonstrate that CBSigIDS can enhance the robustness and effectiveness of signature-based IDSs under adversarial scenarios.
Introduction
The Internet-of-Things (IoT) refers to a system of internet-enabled computing devices, mechanical and digital machines, and objects that have the capability to transfer data over a network without requiring humanto-human or human-to-computer interaction [14]. More and more organizations are using IoT to improve their performance, i.e., operating more efficiently, better understanding, improving decision-making, etc. While the interrelated IoT devices are also threatened by many attacks, i.e., the threat-trend starts moving from manipulating information to controlling actuations [2]. To safeguard various IoT devices and critical infrastructures, intrusion detection systems (IDSs) are one of the most essential and important tools that can help identify potential anomalies and policy violations [37, 42]. Based on the deployment, an IDS can be classified as either host-based IDS (HIDS) that focuses on local system logs, or network-based IDS (NIDS) that monitors network state and traffic. Further, there are two typical detection approaches: signature-based detection and anomaly-based detection. The former like [50, 40] (also known as misuse detection) uses a signature matching process to compare the stored signatures and the observed events like payload and system record. The latter like [49, 12] identifies a potential threat by discovering a significant deviation between its pre-defined normal profile and the observed events for a period of time. If any security violations are found, an alarm would be sent to notify security administrators. Figure 1 depicts the high-level detection workflow of both signature-based and anomaly-based approach.one of the most essential and important tools that can help identify potential anomalies and policy violations [37, 42]. Based on the deployment, an IDS can be classified as either host-based IDS (HIDS) that focuses on local system logs, or network-based IDS (NIDS) that monitors network state and traffic. Further, there are two typical detection approaches: signature-based detection and anomaly-based detection. The former like [50, 40] (also known as misuse detection) uses a signature matching process to compare the stored signatures and the observed events like payload and system record. The latter like [49, 12] identifies a potential threat by discovering a significant deviation between its pre-defined normal profile and the observed events for a period of time. If any security violations are found, an alarm would be sent to notify security administrators. Figure 1 depicts the high-level detection workflow of both signature-based and anomaly-based approach.