HonIDS 2.0: Scalable, hierarchical cooperative architecture for Intrusion Detection and Malware analysis

State of the art

Complex network topologies, characterized by the presence of several subnetworks, Virtual Private Networks (VPN) and mobile users, cannot be effectively monitored by a centralized monitoring solution. Distributed IDS architectures are commonly deployed, but the presence of a centralized aggregation server represent a hard limit to the architecture scalability.

HonIDS 2.0

HonIDS 2.0 extends the HonIDS 1.0 architecture by adding a multi-layer hierarchical architecture of intermediate managers. The hierarchical structure, as well as the ability to manage arbitrarily complex subtrees and to aggregate and cache intermediate results, guarantees unprecedented scalability levels.

Malware specimens gathered through low interaction honeypots installed in the sensors are stored and analyzed only once by the central manager (root of the manager tree), thus avoiding to repeat a useless analysis every time the same malware specimen is captured by a different sensors within the same cooperative architecture.

Analysis results are processed by the central manager to produce a structured Network Activity Report containing all the relevant network activities of the analyzed malware. Activity reports are sent to all the participating subnetworks (all the networks hosting at least one sensor) thus allowing network administrators to timely deploy the appropriate countermeasures.

An example of a simple HonIDS 2.0 architecture is represented in the following figure