Quebrando a Barreira entre Mecanismos de Segurança através da Composição de Serviços Web: Uma Arquitetura para Detecção de Ataques Distribuídos e de Múltiplas Etapas
Abstract
In the recent years , the number of planned attacks such as DDoS, has increased. These attacks are composed of several stages and depart from a number of hosts. Traditional intrusion detection solutions do not cope well with this type of attack because, among other reasons, they lack mechanisms for uniform communication with distinct security systems (e.g. IDS, firewall, etc.) and to correlate, in a timely manner, the events observed. To fulfill the mentioned gap, this paper proposes a service oriented architecture for multistage, distributed attack detection. The architecture has been developed following the WSDM (Web Services Distributed Management) standard and evaluated experimentally using a DDoS attack scenario proposed by the MIT Lincoln Laboratory.
References
Cuppens, F. and Ortalo, R. (2000) “LAMBDA: A Language to Model a Database for Detection of Attacks”. Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), 197–216.
Cuppens, F. and Miége, A. (2002) “Alert Correlation in a Cooperative Intrusion Detection Framework”. Proceedings of the IEEE Symposium on Security and Privacy, p. 187–200.
Cheung, S., Lindqvist, U., and Fong, W. M. (2003) “Modeling Multistep Cyber Attacks for Scenario Recognition”. Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX III), p. 284–292.
DARPA. (2000) “DARPA Intrusion Detection Scenario Specific DataSets”. http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html.
Debar, H. and Wespi, A. (2001) “Aggregation and Correlation of Intrusion-Detection Alerts”. Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), p. 85–103.
Dittrich, D. (1999) “The Tribe Flood Network Distributed Denial of Service Attack Tool”. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt.
Dittrich, D., Weaver, G. and Long N. (2000) “The 'mstream' Distributed Denial of Service Attack Tool”. [link].
Eckmann, T. S., Vigna, G., and Kemmerer, A. R. (2002) “STATL: An Attack Language for State-based Intrusion Detection”. Journal of Computer Security, v. 10, n. 2, p. 71–104.
Fagundes, L. (2006) “Uma Abordagem para Detecção de Ataques Distribuídos e de Múltiplas Etapas baseada na Composição de Serviços Web voltados à Segurança”. Dissertação (Mestrado em Computação Aplicada), Universidade do Vale do Rio dos Sinos.
Fagundes, L. and Gaspary, L. (2005) “Uma Abordagem para Detecção de Ataques Distribuídos e de Múltiplas Etapas baseada na Composição de Serviços Web voltados à Segurança”. Anais do Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), p. 343–346.
Gaspary, L., Meneghetti, E., Sanchez, R., and Antunes, D. (2005) “A SNMP-Based Platform for Distributed Stateful Intrusion Detection in Enterprise Networks”. IEEE Journal on Selected Areas in Communications, v. 23, n. 10, p. 1973–1982.
Graham, S. et al. (2004) Web Services Base Notification. [link].
Ning, P., Cui, Y. and Reeves, D. (2002) “Analyzing Intensive Intrusion Alerts via Correlation”. Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), p. 74–94.
Northcutt, S. (2000) “Como Detectar Invasão em Rede – Um Guia para Analistas”. Rio de Janeiro: Editora Ciência Moderna.
Pubscribe. (2006) Apache - Web Services - Pubscribe. http://ws.apache.org/pubscribe/.
Porras, A. P., Fong, W. M., and Valdes, A. (2002) “A Mission-Impact-Based Approach to INFOSEC Alarm Correlation”. Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), p. 95 – 114.
Prelude. (2006) Prelude Homepage. http://www.prelude-ids.org/.
Snort. (2006) Snort Homepage. http://www.snort.org/.
Vambenepe et al. (2005) Management Using Web Services (WSDM-MUWS). Version 1.0. OASIS Standard. http://docs.oasis-open.org/wsdm/2004/12/wsdm-muws-part1-1.0.pdf.
Cuppens, F. and Miége, A. (2002) “Alert Correlation in a Cooperative Intrusion Detection Framework”. Proceedings of the IEEE Symposium on Security and Privacy, p. 187–200.
Cheung, S., Lindqvist, U., and Fong, W. M. (2003) “Modeling Multistep Cyber Attacks for Scenario Recognition”. Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX III), p. 284–292.
DARPA. (2000) “DARPA Intrusion Detection Scenario Specific DataSets”. http://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html.
Debar, H. and Wespi, A. (2001) “Aggregation and Correlation of Intrusion-Detection Alerts”. Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), p. 85–103.
Dittrich, D. (1999) “The Tribe Flood Network Distributed Denial of Service Attack Tool”. http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt.
Dittrich, D., Weaver, G. and Long N. (2000) “The 'mstream' Distributed Denial of Service Attack Tool”. [link].
Eckmann, T. S., Vigna, G., and Kemmerer, A. R. (2002) “STATL: An Attack Language for State-based Intrusion Detection”. Journal of Computer Security, v. 10, n. 2, p. 71–104.
Fagundes, L. (2006) “Uma Abordagem para Detecção de Ataques Distribuídos e de Múltiplas Etapas baseada na Composição de Serviços Web voltados à Segurança”. Dissertação (Mestrado em Computação Aplicada), Universidade do Vale do Rio dos Sinos.
Fagundes, L. and Gaspary, L. (2005) “Uma Abordagem para Detecção de Ataques Distribuídos e de Múltiplas Etapas baseada na Composição de Serviços Web voltados à Segurança”. Anais do Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg), p. 343–346.
Gaspary, L., Meneghetti, E., Sanchez, R., and Antunes, D. (2005) “A SNMP-Based Platform for Distributed Stateful Intrusion Detection in Enterprise Networks”. IEEE Journal on Selected Areas in Communications, v. 23, n. 10, p. 1973–1982.
Graham, S. et al. (2004) Web Services Base Notification. [link].
Ning, P., Cui, Y. and Reeves, D. (2002) “Analyzing Intensive Intrusion Alerts via Correlation”. Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), p. 74–94.
Northcutt, S. (2000) “Como Detectar Invasão em Rede – Um Guia para Analistas”. Rio de Janeiro: Editora Ciência Moderna.
Pubscribe. (2006) Apache - Web Services - Pubscribe. http://ws.apache.org/pubscribe/.
Porras, A. P., Fong, W. M., and Valdes, A. (2002) “A Mission-Impact-Based Approach to INFOSEC Alarm Correlation”. Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), p. 95 – 114.
Prelude. (2006) Prelude Homepage. http://www.prelude-ids.org/.
Snort. (2006) Snort Homepage. http://www.snort.org/.
Vambenepe et al. (2005) Management Using Web Services (WSDM-MUWS). Version 1.0. OASIS Standard. http://docs.oasis-open.org/wsdm/2004/12/wsdm-muws-part1-1.0.pdf.
Published
2006-08-28
How to Cite
FAGUNDES, Leonardo Lemes; GASPARY, Luciano Paschoal.
Quebrando a Barreira entre Mecanismos de Segurança através da Composição de Serviços Web: Uma Arquitetura para Detecção de Ataques Distribuídos e de Múltiplas Etapas. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 6. , 2006, Santos.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2006
.
p. 138-151.
DOI: https://doi.org/10.5753/sbseg.2006.20945.
