We propose to design a cognitive, automated Distributed Intrusion Detection System that correlates IDS data from nodes across multiple administrative domains. In Phase I we will demonstrate that for multiple types of attacks across multiple administrative domains, such a system can detect incipient attacks and inhibit their success, where no single local IDS can be reasonably expected to do so. We will build on our existing multicast IP protocol, Collaboration Bus (CB), that enables local IDS data sharing. CB also allows remote connection to external listeners outside a LAN or local administrative domain. We will design and deploy a cognitive algorithm on a CB listener that uses Bayesian methods to correlate incoming IDS data and make diagnoses and judgments about action(s) to take. Using Emulab at the University of Utah, we will deploy CB on at least three independent target administrative domains together with a remote listener. We will deploy at least three known effective distributed attacks, and target them in an isolated environment at the target domains. We will run the cognitive listener and confirm that it has made appropriate judgments. We will generate innocuous traffic and confirm that the cognitive listener has not erroneously detected attacks
