A Distributed and Privacy-Preserving Method for Network Intrusion Detection Fatiha Benali 1 , Nadia Bennani 2 , Gabriele Gianini 3 , and Stelvio Cimato 3 1 CITI, INSA-Lyon, F-69621, France 2 Universit´ e de Lyon, CNRS, INSA-Lyon, LIRIS, UMR5205, F-69621, France 3 Universit´a degli Studi di Milano, Milano, Italy fatiha.benali@insa-lyon.fr, nadia.bennani@liris.cnrs.fr, {gabriele.gianini,stelvio.cimato}@unimi.it Abstract. Organizations security becomes increasingly more difficult to obtain due to the fact that information technology and networking resources are dispersed across organizations. Network intrusion attacks are more and more difficult to detect even if the most sophisticated security tools are used. To address this problem, researchers and vendors have proposed alert correlation, an analysis process that takes the events produced by the monitoring components and produces compact reports on the security status of the organization under monitoring. Centralized solutions imply to gather from distributed resources by a third party the global state of the network in order to evaluate risks of attacks but neglect the honest but curious behaviors. In this paper, we focus on this issue and propose a set of solutions able to give a coarse or a fine grain global state depending on the system needs and on the privacy level requested by the involved organizations. 1 Introduction Today, information technology and networking resources are dispersed across an organization. Threats are similarly distributed across many organization re- sources. Therefore, the Security of information systems (IS) is becoming a crucial part of business processes. Companies must deal with open systems on the one hand and ensure a high protection on the other hand. As a common task, an ad- ministrator starts with the identification of threats related to business assets, and applies a security product on each asset to protect an IS. Then, administrators tend to combine and multiply security products and protection techniques such as firewalls, anti-virus, Virtual Private Network (VPN), Intrusion Detection Sys- tem (IDS) and security audits. Usually attacks against open and or distributed systems are difficult to detect as attackers acts independently on different re- sources to accomplish a full attack scenario. On a previous work, Saraydaryan and al [29] propose an efficient solution to detect Abnormal Users Behavior. In this solution, users’ behaviors are modeled through a Bayesian network. The R. Meersman et al. (Eds.): OTM 2010, Part II, LNCS 6427, pp. 861–875, 2010. c  Springer-Verlag Berlin Heidelberg 2010