Flow data analysis: a collaborative model to detect atacks against networks using an hybrid architecture

Abstract

This project, in the information security field, aims to research methods to integrate a variety of existent and non-existent detection techniques using them all together to improve the network traffic analyses. The ongoing advance of research on intrusion detection leads to the development of new methodologies which are not normally used collaboratively. Cooperative use of the methodologies mentioned above would promote a more accurate result in the detection of attacks. However, this procedure might generate an excessive number of alerts, which turns the network environment more difficult to monitor. In order to mitigate this difficulty, this project proposes a methodology capable of correlating the alerts originating from several intrusions detection systems. Alerts from the same attack taxonomy will be grouped so that the alert analysis by the network administrator will be facilitated. Moreover, a module of attack detection based on data flow is proposed, this module will use the enlace layer information for analysis. As a result of this approach, we intend to build a system that 1) facilities the network administrator's analysis of alerts originating from several intrusion detection methods in a collaborative architecture; and 2) possibly decreases the amount of traffic exchanged between the correlation units.