Avaliação do Emprego de Raciocínio baseado em Casos para Identificar Cenários de Intrusão em Logs de Firewalls
Abstract
The content analysis of firewall logs is fundamental to recognize suspicious event sequences that indicate strategies used by intruders in an attempt to obtain non-authorized access to stations and services. Such analysis, due to the large volume of stored log data, is not feasible to be performed by hand. This paper presents an approach that explores the case-based reasoning technique, from the Artificial Intelligence field, to identify, automatically, intrusion scenarios in firewall logs. The paper describes the evaluation of our approach carried out based on real log files generated by the university firewall, and discusses how the tunning of parameters that comprise a case influences alert generation, aiming at determining parameter combinations that lead to a satisfactory relation between detection of intrusion scenarios and number of alerts generated.
References
Esmaili, M. et al. (1996) "Case-Based Reasoning for Intrusion Detection", In: Computer Security Applications Conference, p.214-223.
Kolodner, J. (1993) Case-Based Reasoning, Morgan Kaufmann.
Locatelli, F. E., Dillenburg, F., Melchiors, C., Gaspary, L. P. (2004) "Identificação de Cenários de Intrusão pela Classificação, Caracterização e Análise de Eventos gerados por Firewalls", In: Simpósio Brasileiro de Redes de Computadores, v. 2, p. 851-864.
Ning, P., Cui, Y. and Reeves, D. (2002) "Analyzing Intensive Intrusion Alerts via Correlation", In: Recent Advances in Intrusion Detection, LNCS, v. 2516, p. 74-94.
Porras, P. A. , Fong, M. W. , and Valdes, A. (2002) "A Mission-Impact-Based Approach to INFOSEC Alarm Correlation", In: Recent Advances in Intrusion Detection, LNCS, v. 2516, p. 95-114.
Schwartz, D., Stoecklin, S. and Yilmaz, E. (2002) "A Case-Based Approach to Network Intrusion Detection", In: International Conference on Information Fusion, p.1084-1089.
Stallings, W. (2000) Network Security Essentials: Applications and Standards, Prentice-Hall.
Symantec Enterprise Firewall, Symantec Enterprise VPN, and VelociRaptor Firewall Appliance Reference Guide. Symantec, 2001.
Taylor, T. (2002) Security Complete, Sybex.
Yegneswaran, V., Barford, P. and Ulrich, J. (2003) "Internet Intrusions: Global Characteristics and Prevalence", In: ACM SIGMETRICS Performance Evaluation Review, v. 31, n. 1, p. 138-147.
