Sistema concurrente de detección de intrusiones con correlación de alertas en entornos distribuidos

Los escenarios típicos de un NIDS suelen ser redes de tamaño muy variado, desde domésticas hasta de grandes empresas. Pero también hay propuestas para adaptarlos a la computación en la nube. Al ser este tipo de computación un paradigma bastante reciente presenta riesgos de seguridad que creemos que pueden ser reducidos con un NIDS. El sistema de detección de intrusos propuesto en el presente documento propone una serie de medidas para adaptar un NIDS a un entorno de computación en la nube y, motivados por dos carencias que podría presentar esta propuesta, se proponen dos mejoras, la primera de ellas será la mejora de velocidad de análisis mediante el uso de paralelismo tanto a nivel GPU como CPU y la segunda será añadirle un sistema de correlación de alertas. Como método para conseguir estos objetivos se han evaluado diferentes vías que se desarrollan a lo largo de este documento. OpenStack permitirá desplegar un sistema de computación en la nube sobre uno o varios nodos físicos, CUDA y OpenMP hacer uso de paralelismo a nivel de GPU y CPU, y la logica difusa etiquetar las alertas en cada uno de los tipos de ataque. Como líneas de investigación futuras quedaría el desarrollo de un algoritmo de ordenación que explote el paralelismo a nivel de CPU y optimizar la correlación de alertas. [ABSTRACT] Typical scenarios of a NIDS usually are varied sized networks, from domestic to large companies. But there are also proposals to adapt it to the cloud computing. Since this kind of computing paradigm presents fairly recent security risks, we believe may be reduced with NIDS. The intrusion detection system proposed in this document proposes a series of measures to adapt a NIDS to an environment of cloud computing and motivated by two shortcomings that could present, this proposal proposes two improvements, the first of which will improve analysis speed by using parallelism at CPU and GPU and the second generate a system alert correlation. As a method for achieving these goals are assessed different ways that develop throughout this document. OpenStack will help us to deploy a cloud computing on one or more physical nodes, CUDA and OpenMP will help us to use parallelism at GPU and CPU level, and fuzzy logic will help us to label each attack. As future research lines would be the development of a sorting algorithm that exploits parallelism and optimize CPU level alert correlation

Minimization of DDoS false alarm rate in Network Security; Refining fusion through correlation

Intrusion Detection Systems are designed to monitor a network environment and generate alerts whenever abnormal activities are detected. However, the number of these alerts can be very large making their evaluation a difficult task for a security analyst. Alert management techniques reduce alert volume significantly and potentially improve detection performance of an Intrusion Detection System. This thesis work presents a framework to improve the effectiveness and efficiency of an Intrusion Detection System by significantly reducing the false positive alerts and increasing the ability to spot an actual intrusion for Distributed Denial of Service attacks. Proposed sensor fusion technique addresses the issues relating the optimality of decision-making through correlation in multiple sensors framework. The fusion process is based on combining belief through Dempster Shafer rule of combination along with associating belief with each type of alert and combining them by using Subjective Logic based on Jøsang theory. Moreover, the reliability factor for any Intrusion Detection System is also addressed accordingly in order to minimize the chance of false diagnose of the final network state. A considerable number of simulations are conducted in order to determine the optimal performance of the proposed prototype

A Simulation Based SIEM Framework to Attribute and Predict Attacks

We present a Security Information and Event Management (SIEM) framework to correlate, attribute and predict attacks against an ICT system. The output of the assessment of ICT risk, that exploits multiple simulations of attacks against the system, drives the building of a SIEM database. This database enables the SIEM to correlate sequences of detected attacks, to probabilistically attribute and predict attacks, and to discover 0-day vulnerability. After describing the framework and its prototype implementation, we discuss the experimental results on the main SIEM capabilities