Global Intrusion Detection in the DOMINO Overlay System

Abstract

Sharing data between widely distributed intrusion detection systems offers the possibility of significant improvements in speed and accuracy over systems operating in isolation. In this paper, we describe and evaluate DOMINO (Distributed Overlay for Monitoring InterNet Outbreaks); an architecture for a distributed intrusion detection system that fosters collaboration among heterogeneous nodes organized as an overlay network. The overlay design enables DOMINO to be heterogeneous, scalable, and robust to attacks and failures. An important component of DOMINO's design is the use of tarpit nodes which respond to and measure connections on unused IP addresses. This enables efficient detection of attacks from spoofed IP sources, reduces false positives, enables attack classification and production of timely blacklists. We evaluate the capabilities and performance of DOMINO using a large set of intrusion fogs collected from over 1600 providers across the Internet. Our analysis demonstrates the significant marginal benefit obtained from distributed intrusion data sources coordinated through a system like DOMINO. We also evaluate how to configure DOMINO in order to maximize performance gains from the perspectives of blacklist length, blacklist freshness and IP proximity. We perform a retrospective analysis on the 2002 SQL-Snake and 2003 SQL-Slammer epidemics that highlights how information exchange through DOMINO would reduce reaction time and false alarm rates during outbreaks. Finally, we provide preliminary results from our prototype tarpit deployment that illustrates the limited variability in the tarpit traffic and the feasibility of efficient classification and discrimination of attack types.