Correlação de alertas em um Internet Early Warning Systems

Abstract

Intrusion Detection Systems (IDS) are designed to monitor the computer network infrastructure against possible attacks by generating security alerts. With the increase of components connected to computer networks, traditional IDS are not capable of effectively detecting malicious attacks. This occurs either by the distributed amount of data that traverses the network or the complexity of the attacks launched against the network. Therefore, the design of Internet Early Warning Systems (IEWS) enables the early detection of threats in the network, possibly avoiding eventual damages to the network resources. The IEWS works as a sink that collects alerts from different sources (for example, from different IDS), centralizing and correlating information in order to provide a holistic view of the network. This way, the current dissertation describes an IEWS architecture for correlating alerts from (geographically) spread out IDS using the Case-Based Reasoning (CBR) technique together with IP Georeferencing. The results obtained during experiments, which were executed over the implementation of the developed technique, showed the viability of the technique in reducing false-positives. This demonstrates the applicability of the proposal as the basis for developing advanced techniques inside the extended IEWS architecture.