Relieving hot spots in collaborative intrusion detection systems during worm outbreaks

The increasing number of stealthy and coordinated attacks on the Internet pose a significant threat to network security. Collaborative intrusion detection systems (CIDSs) have therefore been proposed to address this coordinated defense challenge by correlating patterns of suspicious activity based on the source addresses of the suspicious incoming traffic. However, during worm outbreaks, there can be a rapid growth in suspicious evidence that is reported about individual sources of the worm outbreak. In CIDSs that correlate suspicious activity by source address, the evidence relating to these worm spread sources can cause a load "hot-spot", which severely degrades the overall performance of the detection system. In this paper, we propose a load balancing scheme for a CIDS to evenly distribute the workload to avoid hot-spots during worm outbreaks. Rather than correlating suspicious evidence based on source addresses, we distribute the load in the CIDS using a scheme that enables different possible patterns of suspicious evidence to be automatically mapped onto different processing nodes in the CIDS. Simulation results show that our scheme can achieve significant improvements in load balancing without sacrificing detection accuracy.