The First International ICST Workshop on Pervasive Computing Systems and Infrastructures

Research Article

Collaborative defense as a pervasive service Architectural insights and validation methodologies of a trial deployment

  • @INPROCEEDINGS{10.1109/TRIDENTCOM.2009.4976261,
        author={Eve M. Schooler and Carl Livadas and Joohwan Kim and Prashant Gandhi and Pablo R. Passera and Jaideep Chandrashekar and Steve Orrin and Martin Koyabe and Fadi El-Moussa and Gogobada Daa Dabibi},
        title={Collaborative defense as a pervasive service Architectural insights and validation methodologies of a trial deployment},
        proceedings={The First International ICST Workshop on Pervasive Computing Systems and Infrastructures},
        publisher={IEEE},
        proceedings_a={PCSI},
        year={2009},
        month={5},
        keywords={anomaly detection  collaborative systems  component  distributed inference  distributed systems  intrusion detection  malware  network security  pervasive computing},
        doi={10.1109/TRIDENTCOM.2009.4976261}
    }
    
  • Eve M. Schooler
    Carl Livadas
    Joohwan Kim
    Prashant Gandhi
    Pablo R. Passera
    Jaideep Chandrashekar
    Steve Orrin
    Martin Koyabe
    Fadi El-Moussa
    Gogobada Daa Dabibi
    Year: 2009
    Collaborative defense as a pervasive service Architectural insights and validation methodologies of a trial deployment
    PCSI
    IEEE
    DOI: 10.1109/TRIDENTCOM.2009.4976261
Eve M. Schooler1,*, Carl Livadas1,*, Joohwan Kim1,*, Prashant Gandhi1,*, Pablo R. Passera1,*, Jaideep Chandrashekar1,*, Steve Orrin1,*, Martin Koyabe2,*, Fadi El-Moussa2,*, Gogobada Daa Dabibi2,*
  • 1: Corporate Technology Group Intel Corporation 2200 Mission College Boulevard Santa Clara, CA 95054, USA
  • 2: Centre for Information Security & Systems Research British Telecommunications plc BT Innovate, pp13, Ground Floor, Orion Building Adastral Park, Martlesham Heath Ipswich, IP5 3RE, United Kingdom
*Contact email: eve.m.schooler@intel.com, carl.livadas@intel.com, joohwan.kim@intel.com, prashant.gandhi@intel.com, pablo.r.passera@intel.com, jaideep.chandrashekar@intel.com, steve.orrin@intel.com, martin.koyabe@bt.com, fadiali.el-moussa@bt.com, gogobadaa.dabibi@bt.com

Abstract

Network defense is an elusive art. The arsenal to defend our devices from attack is constantly lagging behind the latest methods used by attackers to break into them and subsequently into our networks. To counteract this trend, we developed a distributed, scalable approach that harnesses the power of collaborative end-host detectors or sensors. Simulation results reveal order of magnitude improvements over stand-alone detectors in the accuracy of detection (fewer false alarms) and in the quality of detection (the ability to capture stealthy anomalies that would otherwise go undetected). Although these results arise out of a proof of concept in the arena of botnet detection in an Enterprise network, they have broader applicability to the area of network self-manageability of pervasive computing devices. To test the efficacy of these ideas further, Intel Corporation partnered with British Telecommunications plc to launch a trial deployment. In this paper, we report on results and insights gleaned from the development of a testbed infrastructure and phased experiments; (1) the design of a re-usable measurementinference architecture into which 3rd party sensor developers can integrate a wide variety of “anomaly detection” algorithms to derive the same correlation-related performance benefits; (2) the development of a series of validation methodologies necessitated by the lack of mature tools and approaches to attest to the security of distributed networked systems; (3) the critical role of learning and adaptation algorithms to calibrate a fullydistributed architecture of varied devices in varied contexts, and (4) the utility of large-scale data collections to assess what’s normal behavior for Enterprise end-host background traffic as well as malware command-and-control protocols. Finally, we propose Collaborative Defense as a blueprint for emergent collaborative systems and its measurement-everywhere approach as the adaptive underpinnings needed for pervasive services.