Fides module. Global P2P Threat Ingelligence Sharing
Slips implements an internet global P2P system for Threat Intelligence sharing and alerting.
The Fides module implements the Global P2P system in Slips.
Traditional network defense systems depend on centralized threat intelligence, which has limitations like single points of failure, inflexibility, and reliance on trust in centralized authorities. Peer-to-peer networks offer an alternative for sharing threat intelligence but face challenges in verifying the trustworthiness of participants, including potential malicious actors.
The Fides Module is based on the Master Thesis of Lukáš Forst and implemented in Slips in the Master Thesis of David Otta. The goal of the Fides module is to address the challenge of trust of peers in P2P networks by providing several trust evaluation models. It evaluates peer behavior, considers membership in trusted organizations, and assesses incoming threat data to determine reliability. Fides aggregates and weights data to enhance intrusion prevention systems, even in adversarial scenarios. Experiments show that Fides can maintain accurate threat intelligence even when 75% of the network is controlled by malicious actors, assuming the remaining 25% are trusted.
The whole architecture is thoroughly documented in the thesis itself, which can be downloaded from the link above.
Docker direct use
You can use Slips with the Fides Module by allowing it in the Slips config file or by using the following commands.
docker pull stratosphereips/slips
docker run -it --rm --net=host --use_fides=True --cap-add=NET_ADMIN stratosphereips/slips
To be able to use the fides module, you should use --cap-add=NET_ADMIN
Conditions
If you plan on using the Fides Module, please be aware that it is used only if Slips is running on an interface OR on a growing Zeek directory. The --use_fides=True is ignored when Slips is run on a file.
Configuration
The evaluation model used, the evaluation thresholds, and other configurations are located in modules/fides/config/fides.conf.yml.
If you need a Slips run to use a different Fides configuration file, set
global_p2p.fides_conf in Slips config to the relative path
of that alternate YAML file.
Possible threat intelligence evaluation models
Model Name |
Description |
|---|---|
|
Average Confidence Trust Intelligence Aggregation |
|
Weighted Average Confidence Trust Intelligence Aggregation |
|
Standard Deviation From Score Trust Intelligence Aggregation |
Usage in Slips
Fides is inactive by default in Slips.
To enable it, change use_fides=False to use_fides=True in config/slips.yaml.
And start Slips on your interface.
The Fides shared SQLite cache is stored under the directory configured by parameters.permanent_dir. By default, it is created in permanent/databases/, so it persists across different Slips runs.
How it works:
Slips interacts with other slips peers for the following purposes:
Asking for an opinion
Peers can ask other peers what they think about an IP address or domain.
Dispatching alerts
If a peer generates an alert based on evidence of an attack, it can alert other peers by sending an Alert message in the P2P network.
Logs
Slips contains a minimal log file for reports received by other peers and peer updates in the output directory if not manually specified using the appropriate slips parameter upon start.
The custom logger modules/fides/utils/logger.py code is used by the Fides Module for internal logging.
Implementation notes and credit
The mathematical models for the trust evaluation were written by Lukáš Forst as part of his Master Thesis.
Privacy
Slips only shares the trust level and confidence values generated by Slips about IPs to the network, no more information.