Most network defense systems only rely on evidence-based knowledge about past cyberattacks, known as threat intelligence. Firewalls and intrusion prevention systems rely on the shared threat intelligence generated by other systems to prevent attacks before is too late. Such threat intelligence is usually shared via centralized public and private blocklists, where a single centralized authority, hopefully, has complete control over what is published. Such centralized systems have many issues: single point of failure both technically and in trust, lack of flexibility on new data and providers, and manual trust in the providers.
To mitigate these problems, peer-to-peer networks can be used to share threat intelligence. However, because these networks are open to anyone, including malicious actors, peers need to be able to determine who to trust and which data is better to discard.
This thesis introduces Fides. Fides is a generic trust model fine-tuned for sharing security threat intelligence in highly adversarial global peer-to-peer networks of intrusion prevention agents. We design and build Fides taking into account the problems and limitations of previous state-of-the-art trust models, optimizing it for a broad spectrum of peer-to-peer networks where peers can join and leave at any time. Fides evaluates the behavior of peers in the network, including their membership in pre-trusted organizations and uses this knowledge to compute the trust. Fides continually assesses received data from the peers, and by weighting and comparing them with each other as well as with the existing knowledge, Fides is able to determine which peer provides better threat intelligence and which peers are more reliable. The received threat intelligence is always aggregated and weighted and then provided to the underlying intrusion prevention system. Among many results, our experiments show that in the worst possible scenario, when 75% of the network is completely controlled by malicious actors Fides is still able to provide the correct values of the threat intelligence data under an assumption that the other part of the network, the remaining 25%, are peers that are part of trusted organizations.
The direct contributions of this thesis are the computational model of the trust model Fides, the reference implementation of the model in Python, the simulation framework for modeling peers' behavior in the network including the implementation of the framework and the implementation of the Fides module for reference intrusion prevention system.