Um Sistema Adaptativo de Detecção e Reação a Ameaças
Abstract
Attackers create new threats and constantly change their behavior to mislead current security systems. Moreover, threats are detected in days or weeks, while a countermeasure must be immediately triggered to avoid or reduce any damages. This paper proposes an adaptive threat detection system with a SDN based schema to perform countermeasures. The contributions of this work are the following: i) threat detection and prevention analyzing only five packets of each flow; ii) adaptive detection algorithms with real time training; iii) instant countermeasure trigger, without waiting the end of the flow; iv) effective threat block, even in scenarios with spoofed IP addresses. A SDN schema effectively monitors the five packets sequence and blocks the threat in its source, avoiding the waste of resources. The results show a high accuracy in threat detection, even with network behavior varying over time.References
Andreoni Lopez, M., Mattos, D. M. F. e Duarte, O. C. M. B. (2016). An elastic intrusion detection system for software networks. Annales des Telecommunications/Annals of Telecommunications, 71(11-12):595–605.
Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A. e Salamatian, K. (2006). Traffic classification on the fly. ACM SIGCOMM Computer Communication Review, 36(2):23–26.
Braga, R., Mota, E. e Passito, A. (2010). Lightweight DDoS flooding attack detection using NOX/OpenFlow. Em IEEE 35th Conference on Local Computer Networks, páginas 408–415.
Buczak, A. e Guven, E. (2015). A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Communications Surveys Tutorials, (99):1–26.
Donato,W. D., Pescape, A. e Dainotti, A. (2014). Traffic identification engine: an open platform for traffic classification. IEEE Network, 28(2):56–64.
Garcia, S., Grill, M., Stiborek, J. e Zunino, A. (2014). An empirical comparison of botnet detection methods. Computers & Security, 45:100–123.
Ji, S.-Y., Jeong, B.-K., Choi, S. e Jeong, D. H. (2016). A multi-level intrusion detection method for abnormal network behaviors. Journal of Network and Computer Applications, 62:9–17.
Lakhina, A., Crovella, M. e Diot, C. (2005). Mining anomalies using traffic feature distributions. Em ACM SIGCOMM Computer Communication Review, volume 35, páginas 217–228. ACM.
Lee, W., Stolfo, S. J. e Mok, K. W. (1999). Mining in a data-flow environment: Experience in network intrusion detection. Em Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining, páginas 114–124. ACM.
Lippmann, R. P., Fried, D. J., Graf, I., Haines, J. W., Kendall, K. R., McClung, D., Weber, D., Webster, S. E., Wyschogrod, D., Cunningham, R. K. et al. (2000). Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. Em Proceedings of DARPA Information Survivability Conference and Exposition. DISCEX’00., volume 2, páginas 12–26. IEEE.
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S. e Turner, J. (2008). OpenFlow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev., 2008.
Peng, L., Yang, B. e Chen, Y. (2015). Effective packet number for early stage internet traffic identification. Neurocomputing, 156:252 – 267.
Ponemon, I. e IBM (2017). 2017 cost of data breach study: Global analysis. https://www.ibm.com/security/data-breach/. Acessado: 15/07/2017.
Sharafaldin, I., Gharib, A., Lashkari, A. H. e Ghorbani, A. A. (2017). Towards a reliable intrusion detection benchmark dataset. Software Networking, 2017(1):177–200.
Sommer, R. e Paxson, V. (2010). Outside the closed world: On using machine learning for network intrusion detection. Em IEEE Symposium on Security and Privacy (SP), páginas 305–316. IEEE.
Suthaharan, S. (2014). Big data classification: Problems and challenges in network intrusion prediction with machine learning. ACM SIGMETRICS Performance Evaluation Review, 41(4):70–73.
Wu, K., Zhang, K., Fan, W., Edwards, A. e Yu, P. S. (2014). RS-Forest: A rapid density estimator for streaming anomaly detection. Em IEEE International Conference on Data Mining (ICDM), páginas 600–609.
Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A. e Salamatian, K. (2006). Traffic classification on the fly. ACM SIGCOMM Computer Communication Review, 36(2):23–26.
Braga, R., Mota, E. e Passito, A. (2010). Lightweight DDoS flooding attack detection using NOX/OpenFlow. Em IEEE 35th Conference on Local Computer Networks, páginas 408–415.
Buczak, A. e Guven, E. (2015). A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Communications Surveys Tutorials, (99):1–26.
Donato,W. D., Pescape, A. e Dainotti, A. (2014). Traffic identification engine: an open platform for traffic classification. IEEE Network, 28(2):56–64.
Garcia, S., Grill, M., Stiborek, J. e Zunino, A. (2014). An empirical comparison of botnet detection methods. Computers & Security, 45:100–123.
Ji, S.-Y., Jeong, B.-K., Choi, S. e Jeong, D. H. (2016). A multi-level intrusion detection method for abnormal network behaviors. Journal of Network and Computer Applications, 62:9–17.
Lakhina, A., Crovella, M. e Diot, C. (2005). Mining anomalies using traffic feature distributions. Em ACM SIGCOMM Computer Communication Review, volume 35, páginas 217–228. ACM.
Lee, W., Stolfo, S. J. e Mok, K. W. (1999). Mining in a data-flow environment: Experience in network intrusion detection. Em Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining, páginas 114–124. ACM.
Lippmann, R. P., Fried, D. J., Graf, I., Haines, J. W., Kendall, K. R., McClung, D., Weber, D., Webster, S. E., Wyschogrod, D., Cunningham, R. K. et al. (2000). Evaluating intrusion detection systems: The 1998 DARPA off-line intrusion detection evaluation. Em Proceedings of DARPA Information Survivability Conference and Exposition. DISCEX’00., volume 2, páginas 12–26. IEEE.
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S. e Turner, J. (2008). OpenFlow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev., 2008.
Peng, L., Yang, B. e Chen, Y. (2015). Effective packet number for early stage internet traffic identification. Neurocomputing, 156:252 – 267.
Ponemon, I. e IBM (2017). 2017 cost of data breach study: Global analysis. https://www.ibm.com/security/data-breach/. Acessado: 15/07/2017.
Sharafaldin, I., Gharib, A., Lashkari, A. H. e Ghorbani, A. A. (2017). Towards a reliable intrusion detection benchmark dataset. Software Networking, 2017(1):177–200.
Sommer, R. e Paxson, V. (2010). Outside the closed world: On using machine learning for network intrusion detection. Em IEEE Symposium on Security and Privacy (SP), páginas 305–316. IEEE.
Suthaharan, S. (2014). Big data classification: Problems and challenges in network intrusion prediction with machine learning. ACM SIGMETRICS Performance Evaluation Review, 41(4):70–73.
Wu, K., Zhang, K., Fan, W., Edwards, A. e Yu, P. S. (2014). RS-Forest: A rapid density estimator for streaming anomaly detection. Em IEEE International Conference on Data Mining (ICDM), páginas 600–609.
Published
2017-11-06
How to Cite
LOBATO, Antonio Gonzalez Pastana; LOPEZ, Martin Andreoni; REBELLO, Gabriel Antonio F.; DUARTE, Otto Carlos Muniz Bandeira.
Um Sistema Adaptativo de Detecção e Reação a Ameaças. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 400-413.
DOI: https://doi.org/10.5753/sbseg.2017.19515.
