A Self organized threat intelligence architecture for intrusion detection systems

Abstract

An Intrusion Detection System (IDS) is a software application that mon- itor a corporate network or a computer system and ag activities which it construes to be malicious operations. The rapid and expansive growth of In- ternet has heightened concerns on how to protect both stored and transmitted digital information in an e ective manner. The reactive IDS will primarily detect intrusions and send out alerts. De- fending the system is a secondary task, and its success depends on how early detection can occur when an intrusion is ongoing so that warnings can be sent in time. IPS, which is mainly proactive, will primarily detect vulnerabil- ities and take preventive measures in addition to providing the second stage functionality for an IDS but with limited knowledge and countermeasure ca- pabilities. As a solution to this problem, research has been conducted on an area called Automated Defense. The design of Automated Defense systems needs to be radically di erent from the IDS/IPS schemes as properties such as on- line real-time availability of all participants, use of threat intelligence schemes, availability of high computation power, etc have to be considered. Taking into consideration the context in which Threat Intelligence Architecture operates, where transaction value is very low, IDS/IPS systems need to be designed with a careful trade-o between reliability and cost of implementation. The research presented in this thesis aims to develop a solution to the problem of providing the functionality of an IDS with an IPS capability that is highly responsive, adaptive and able to leverage the most up-to-date knowl- edge on dealing with threats. The main objective of the research is to combine an IDS with Threat Intelligence in a manner that can detect le creations and copying anomalies and provide the mechanisms to alert and initiate actions to take defensive measures to decrease the potential for damage from attackers. The main objective of the research is to combine with Threat Intelligence to provide a mechanism to alert and initiate actions to take defensive measures to decrease the potential for damage.