A Case for Network-wide Orchestration of Host-based Intrusion Detection and Response
Recent cyber incidents and the push for zero trust security underscore the necessity of monitoring host-level events. However, current host-level intrusion detection systems (IDS) lack the ability to correlate alerts and coordinate a network-wide response in real time. Motivated by advances in system-level extensions free of rebooting and network-wide orchestration of host actions, we propose using a central IDS orchestrator to remotely program the logic of each host IDS and collect the alerts generated in real time. In this paper, we make arguments for such a system concept and provide a high level design of the main system components. Furthermore, we have developed a system prototype and evaluated it using two experimental scenarios rooted from real-world attacks. The evaluation results show that the host-based IDS orchestration system is able to defend against the attacks effectively.
View on arXiv@article{timmons2025_2504.06241,
title={ A Case for Network-wide Orchestration of Host-based Intrusion Detection and Response },
author={ Mark Timmons and Daniel Lukaszewski and Geoffrey Xie },
journal={arXiv preprint arXiv:2504.06241},
year={ 2025 }
}