An intrusion-tolerant mechanism for intrusion detection systems

In accordance with the increasing importance of intrusion detection systems (IDS), users justifiably demand the trustworthiness of the IDS. However, sophisticated attackers attempt to disable the IDS before they launch a thorough attack. Therefore, to accomplish its function, an IDS should have some mechanism to guarantee uninterrupted detection service even in the face of IDS component failures due to attacks. In this paper, we propose an intrusion-tolerant mechanism for network intrusion detection systems (NIDS) that employ multiple independent components. The mechanism monitors the detection units and the hosts on which the units reside and enables the IDS to survive component failure due to intrusions. As soon as a failed IDS component is discovered, a copy of the component is installed to replace it and the detection service continues. We implement the intrusion-tolerant mechanism based on the CSI-KNN-based NIDS and evaluate the prototype in the face of component failures. The results demonstrate that the mechanism can effectively tolerate intrusions.