Modelo de Dados de uma Base de Conhecimento para Monitorar Ataques em Redes de Computadores
Abstract
The popularization of the Internet has provided an increase number of web applications that work with critical information, increasing the number of attacks that exploit the vulnerabilities of these applications. This scenario has encouraged companies to invest in tools to monitor its computer networks infrastructures. This paper proposes a data model of a knowledge base that represents information of different aspects of computer networks with a focus on intrusion detection events, such as data alerts generated by intrusion detection systems, information about countermeasures, and traffic statistics. A case study conducted in a real network infrastructure demonstrates the applicability of the data model and allows us to identify the advantages of its use, demonstrating its potential use on building situational awareness.
References
Azevedo, R. P., Mozzaquatro, B. A., Nunes, R. C., Cappo, C., Schaerer, C., and Kozakevicius, A. (2012). Detecção de ataques dos utilizando a transformada wavelet 2d. In Conferência Latinoamericana en Informática - CLEI, Medelin, Colômbia.
Bastke, S., Deml, M., and Schmidt, S. (2010). Internet early warning systems - overview and architecture. In European Workshop on Internet Early Warning and Network Intelligence, Hamburg, Germany.
CERT.br (2012). Centro de estudos, resposta e tratamento de incidentes no brasil. Disponível em: ¡http://www.cert.br/¿. Acesso em: 25 out. 2012.
Chetan, R. and Ashoka, D. (2012). Data mining based network intrusion detection system: A database centric approach. In Computer Communication and Informatics (ICCCI), 2012 International Conference on, pages 1–6, Coimbatore, India.
Debar, H., Curry, D., and Feinstein, B. (2007). The intrusion detection message exchange format (idmef). RFC 4765. March 2007.
Flior, E., Anaya, T., Moody, C., Beheshti, M., Han, J., and Kowalski, K. (2010). A knowledge-based system implementation of intrusion detection rules. Information Technology: New Generations (ITNG), pages 738–742.
Golling, M. and Stelte, B. (2011). Requirements for a future ews - cyber defence in the internet of the future. In 3rd International Conference on Cyber Conflict (ICCC), pages 1–16, Tallinn, Estonia.
Hesse, M. and Pohlmann, N. (2008). Internet situation awareness. In eCrime Researchers Summit, pages 1–9, Atlanta, GA.
More, S., Matthews, M., and A. Joshi, T. F. (2012). A knowledge-based approach to intrusion detection modeling. Security and Privacy Workshops (SPW), pages 75–81.
Pereira, H. and Jamhour, E. (2011). Método heurístico para rotular grupos em sistema de detecção de intrusão baseado em anomalia. XI Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais. Brasília - DF, Brasil.
Petri, G., Nunes, R. C., Junior, T. C., and Santos, O. M. (2012). Modelagem de uma base de conhecimento para o monitoramento de ataques. In Escola Regional de Redes de Computadores, pages 75–78, Pelotas, RS, Brasil. ERRC 2012.
Petri, G., Nunes, R. C., Orozco, V., Junior, T. C., and dos Santos, O. M. (2013a). Building situation awareness to monitor critical infrastructures. In LADC 2013 - Fast Abstract, Rio de Janeiro, Brazil.
Petri, G., Nunes, R. C., Orozco, V., Junior, T. C., and dos Santos, O. M. (2013b). Kbam: Data model of a knowledge base for monitoring attacks. In LADC 2013 - Fast Abstract, Rio de Janeiro, Brazil.
PRELUDE (2012). Prelude siem web site. Disponível em: ¡http://www.preludetechnologies.com/en/welcome/index.html¿. Acesso em: 29 jun. 2012.
Ricci, G. (2008). Betrachtung der vom ias gesammelten kommunikationsparameter auf relevanz zur anomalie und angriffserkennung (evaluation of the relevance for the detection of abnormalities and attacks of the communication parameters collected by the internet analysis system). Master’s thesis, University of Applied Sciences, Gelsenkirchen, Germany.
Silva, P. F. and Westphall, C. B. (2006). An intrusion answer model compatible with the alerts idwg model. Network Operations and Management Symposium (NOMS), pages 1–4.
SNORT (2012). Snort home page. Disponível em: ¡http://www.snort.org/¿. Acesso em: 11 jul. 2012.
SURICATA (2012). Open information security fundation. Disponível em: ¡http://96.43.130.5/index.php/downloads¿. Acesso em: 29 jun. 2012.
Symantec (2012). Symantec internet security threat report trends for 2011. Disponível em: [link]. Acesso em: 15 jun. 2012.
Undercoffer, J., Joshi, A., Finin, T., and Pinkston, J. (2004). Using daml+oil to classify intrusive behaviours. The Knowledge Engineering Review, 18:221–241.
WIRESHARK (2012). Wireshark. Disponível em: ¡http://www.wireshark.org/¿. Acesso em: 30 dez. 2012.
Bastke, S., Deml, M., and Schmidt, S. (2010). Internet early warning systems - overview and architecture. In European Workshop on Internet Early Warning and Network Intelligence, Hamburg, Germany.
CERT.br (2012). Centro de estudos, resposta e tratamento de incidentes no brasil. Disponível em: ¡http://www.cert.br/¿. Acesso em: 25 out. 2012.
Chetan, R. and Ashoka, D. (2012). Data mining based network intrusion detection system: A database centric approach. In Computer Communication and Informatics (ICCCI), 2012 International Conference on, pages 1–6, Coimbatore, India.
Debar, H., Curry, D., and Feinstein, B. (2007). The intrusion detection message exchange format (idmef). RFC 4765. March 2007.
Flior, E., Anaya, T., Moody, C., Beheshti, M., Han, J., and Kowalski, K. (2010). A knowledge-based system implementation of intrusion detection rules. Information Technology: New Generations (ITNG), pages 738–742.
Golling, M. and Stelte, B. (2011). Requirements for a future ews - cyber defence in the internet of the future. In 3rd International Conference on Cyber Conflict (ICCC), pages 1–16, Tallinn, Estonia.
Hesse, M. and Pohlmann, N. (2008). Internet situation awareness. In eCrime Researchers Summit, pages 1–9, Atlanta, GA.
More, S., Matthews, M., and A. Joshi, T. F. (2012). A knowledge-based approach to intrusion detection modeling. Security and Privacy Workshops (SPW), pages 75–81.
Pereira, H. and Jamhour, E. (2011). Método heurístico para rotular grupos em sistema de detecção de intrusão baseado em anomalia. XI Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais. Brasília - DF, Brasil.
Petri, G., Nunes, R. C., Junior, T. C., and Santos, O. M. (2012). Modelagem de uma base de conhecimento para o monitoramento de ataques. In Escola Regional de Redes de Computadores, pages 75–78, Pelotas, RS, Brasil. ERRC 2012.
Petri, G., Nunes, R. C., Orozco, V., Junior, T. C., and dos Santos, O. M. (2013a). Building situation awareness to monitor critical infrastructures. In LADC 2013 - Fast Abstract, Rio de Janeiro, Brazil.
Petri, G., Nunes, R. C., Orozco, V., Junior, T. C., and dos Santos, O. M. (2013b). Kbam: Data model of a knowledge base for monitoring attacks. In LADC 2013 - Fast Abstract, Rio de Janeiro, Brazil.
PRELUDE (2012). Prelude siem web site. Disponível em: ¡http://www.preludetechnologies.com/en/welcome/index.html¿. Acesso em: 29 jun. 2012.
Ricci, G. (2008). Betrachtung der vom ias gesammelten kommunikationsparameter auf relevanz zur anomalie und angriffserkennung (evaluation of the relevance for the detection of abnormalities and attacks of the communication parameters collected by the internet analysis system). Master’s thesis, University of Applied Sciences, Gelsenkirchen, Germany.
Silva, P. F. and Westphall, C. B. (2006). An intrusion answer model compatible with the alerts idwg model. Network Operations and Management Symposium (NOMS), pages 1–4.
SNORT (2012). Snort home page. Disponível em: ¡http://www.snort.org/¿. Acesso em: 11 jul. 2012.
SURICATA (2012). Open information security fundation. Disponível em: ¡http://96.43.130.5/index.php/downloads¿. Acesso em: 29 jun. 2012.
Symantec (2012). Symantec internet security threat report trends for 2011. Disponível em: [link]. Acesso em: 15 jun. 2012.
Undercoffer, J., Joshi, A., Finin, T., and Pinkston, J. (2004). Using daml+oil to classify intrusive behaviours. The Knowledge Engineering Review, 18:221–241.
WIRESHARK (2012). Wireshark. Disponível em: ¡http://www.wireshark.org/¿. Acesso em: 30 dez. 2012.
Published
2013-11-11
How to Cite
PETRI, Giani; NUNES, Raul Ceretta; JUNIOR, Tarcisio Ceolin; SANTOS, Osmar Marchi dos.
Modelo de Dados de uma Base de Conhecimento para Monitorar Ataques em Redes de Computadores. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 226-239.
DOI: https://doi.org/10.5753/sbseg.2013.19548.
