A Thousand Heads Are Better Than One - The Present and Future of Distributed Intrusion Detection

The rapid increase in worldwide Internet activity in the past half-decade has given rise to a host of new network security threats. Until recently these threats have been (more or less) successfully combated with a combination of antivirus software, firewalls, and intrusion detection systems. But the latest generation of distributed denial of service (DDoS) attacks and Internet worms has demonstrated the shortcomings of traditional host- and network-based intrusion detection systems: incomplete information and inadequate user knowledge. One powerful remedy is Distributed Intrusion Detection (DID), which facilitates the consolidation of intrusion detection information from many different individual sources. This information allows the potential victims of malicious network activity to differentiate between harmless anomalies and actual attacks, and provides Internet service providers with the information and motivation they need to pursue and shut down hackers and worm-infested computers. Today's most popular DID systems, DShield and myNetWatchman, are an important first step towards realizing the full potential of distributed intrusion detection, but future implementations will need to address the issues of confidentiality, compatibility, and education if DID is to be widely adopted.