Distributed Attack Prevention Using Dempster-Shafer Theory of Evidence

This paper details a robust collaborative intrusion detection methodology for detecting attacks within a Cloud federation. It is a proactive model and the responsibility for managing the elements of the Cloud is distributed among several monitoring nodes. Since there are a wide range of elements to manage, complexity grows proportionally with the size of the Cloud, so a suitable communication and monitoring hierarchy is adopted. Our architecture consists of four major entities: the Cloud Broker, the monitoring nodes, the local coordinator (Super Nodes), and the global coordinator (Command and Control server - C2). Utilising monitoring nodes into our architecture enhances the performance and response time, yet achieves higher accuracy and a broader spectrum of protection. For collaborative intrusion detection, we use the Dempster Shafer theory of evidence via the role of the Cloud Broker. Dempster Shafer executes as a main fusion node, with the role to collect and fuse the information provided by the monitors, taking the final decision regarding a possible attack.