Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis
Autor(a) principal: | |
---|---|
Data de Publicação: | 2018 |
Tipo de documento: | Dissertação |
Idioma: | por |
Título da fonte: | Repositório Institucional da UFS |
Texto Completo: | http://ri.ufs.br/jspui/handle/riufs/10758 |
Resumo: | In the security field, anomaly detection techniques have been developed to detect traffic patterns related to attacks or malicious activities and are often referred to as anomalies. Particularly, some anomalies can represent attackers launching Distributed Denial-of-Service (DDoS) in order to degrade services availability. Threats in the DoS category can involve early-stage actions such as probe attacks. In this type of attack, a network is scanned in order to find vulnerable hosts and compromise them. As a result, the detected vulnerabilities enable unauthorized access to the machines through user to root (U2R) and remote to local (R2L) attacks. The compromised machines could be used in order to cause a denial of service against a particular target. These attack classes include threats that can hide in normal traffic due to low required attack intensity. In addition, anomaly-based detection techniques have a high false alarm rate, which helps in reducing the detection efficiency. This work aims to present a security model with detection and prevention functions against attacks that exploit the vulnerabilities of the cloud infrastructure to mitigate the previously mentioned problems. This model consists of the concepts of immunology, alert correlation, and software-defined networks (SDN). It consists of a distributed intrusion detection system based on anomaly detection within the artificial immune system (AIS) approach and attack graph correlation. Through this approach, an anomaly-based intrusion detection system inside the AIS field works with attack graph based correlation. The Negative Selection, Clonal Selection and Immune Network algorithms are used to implement an agent-based detection system to analyze network traffic. The described system works in conjunction with attack graphs and an alert correlation algorithm which can aid in the false alarm reduction rate. Attack graphs can also aid in the countermeasure selection through SDN technology. The SDN countermeasures can assist in attack prevention through traffic redirection, traffic isolation, network topology change, and IP address change. The proposed system was tested through the network traffic collected from the virtual machines on Amazon Web Service (AWS). The collected traffic data was converted to datasets in the NSL-KDD format. The addition of alert correlation technique in the proposed security approach increased detection efficiency for all studied attack classes. |
id |
UFS-2_b7b8ac0893bea1fbb5617a32f98ada0f |
---|---|
oai_identifier_str |
oai:ufs.br:riufs/10758 |
network_acronym_str |
UFS-2 |
network_name_str |
Repositório Institucional da UFS |
repository_id_str |
|
spelling |
Melo, Roberto VasconcelosMacedo, Douglas Dyllon Jeronimo de2019-03-25T23:08:57Z2019-03-25T23:08:57Z2018-12-12MELO, Roberto Vasconcelos. Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis. 2018. 142 f. Dissertação (Mestrado em Ciência da Computação) - Universidade Federal de Sergipe, São Cristóvão, SE, 2018.http://ri.ufs.br/jspui/handle/riufs/10758In the security field, anomaly detection techniques have been developed to detect traffic patterns related to attacks or malicious activities and are often referred to as anomalies. Particularly, some anomalies can represent attackers launching Distributed Denial-of-Service (DDoS) in order to degrade services availability. Threats in the DoS category can involve early-stage actions such as probe attacks. In this type of attack, a network is scanned in order to find vulnerable hosts and compromise them. As a result, the detected vulnerabilities enable unauthorized access to the machines through user to root (U2R) and remote to local (R2L) attacks. The compromised machines could be used in order to cause a denial of service against a particular target. These attack classes include threats that can hide in normal traffic due to low required attack intensity. In addition, anomaly-based detection techniques have a high false alarm rate, which helps in reducing the detection efficiency. This work aims to present a security model with detection and prevention functions against attacks that exploit the vulnerabilities of the cloud infrastructure to mitigate the previously mentioned problems. This model consists of the concepts of immunology, alert correlation, and software-defined networks (SDN). It consists of a distributed intrusion detection system based on anomaly detection within the artificial immune system (AIS) approach and attack graph correlation. Through this approach, an anomaly-based intrusion detection system inside the AIS field works with attack graph based correlation. The Negative Selection, Clonal Selection and Immune Network algorithms are used to implement an agent-based detection system to analyze network traffic. The described system works in conjunction with attack graphs and an alert correlation algorithm which can aid in the false alarm reduction rate. Attack graphs can also aid in the countermeasure selection through SDN technology. The SDN countermeasures can assist in attack prevention through traffic redirection, traffic isolation, network topology change, and IP address change. The proposed system was tested through the network traffic collected from the virtual machines on Amazon Web Service (AWS). The collected traffic data was converted to datasets in the NSL-KDD format. The addition of alert correlation technique in the proposed security approach increased detection efficiency for all studied attack classes.Na área de segurança, técnicas de detecção de anomalia foram desenvolvidas com o objetivo de detectar padrões de tráfego que representam ataques ou atividades maliciosas e são frequentemente referidos como anomalias. Particularmente, algumas anomalias podem estar associadas a invasores que executam ataques de negação de serviço distribuído (Distributed Denial-of-Service - DDoS) para degradar a disponibilidade de serviços online. Ameaças na categoria DoS podem envolver estágios iniciais, como ataques de reconhecimento. Nesse tipo de ameaça, a rede é escaneada com o objetivo de encontrar máquinas vulneráveis e comprometê-las. Dessa forma, as vulnerabilidades detectadas possibilitam o acesso não autorizado às máquinas por meio de ataques nas classes de usuário para super usuário (U2R) e remoto para local (R2L). As máquinas comprometidas podem ser utilizadas com o intuito de provocar a negação de serviço contra determinado alvo. Essas classes contém ataques que podem se esconder no tráfego normal devido à baixa intensidade de ataque requerida. Além disso, as técnicas de detecção baseadas em anomalia apresentam uma alta taxa de alarmes falsos, o que prejudica a eficácia da detecção. Para atenuar esses problemas, o presente trabalho tem como objetivo apresentar uma abordagem de segurança com a função de detectar e mitigar ataques que exploram vulnerabilidades da infraestrutura da nuvem. Essa abordagem consiste nos conceitos de imunologia, correlação de alertas e redes programáveis. A partir dela, um sistema de detecção de intrusão baseado em anomalia, e dentro da abordagem imunológica, é utilizado em conjunto com uma técnica de correlação de alertas baseada em grafos de ataque. Neste trabalho, os algoritmos de seleção negativa, seleção clonal e rede imune são usados para implementar um sistema de detecção baseado em agentes distribuídos para analisar o tráfego de rede. O sistema descrito é utilizado com o auxílio de grafos de ataque, a partir do qual um algoritmo de correlação de alertas pode auxiliar na taxa de redução de alarmes falsos. Grafos de Ataque podem também auxiliar na seleção de contramedidas baseadas na tecnologia de redes programáveis (SDN - Software Defined Networks), a partir da qual podem ser executadas medidas de prevenção como redirecionamento, ou isolamento do tráfego, variação na topologia da rede, e mudanças de endereços IP. A abordagem proposta foi testada a partir do tráfego de rede coletado das máquinas virtuais do Amazon Web Service (AWS), onde para sua análise ele foi convertido para datasets no formato NSL-KDD. A adição da técnica de correlação aumentou a eficácia da detecção para todas as classes de ataques estudadas.Coordenação de Aperfeiçoamento de Pessoal de Nível Superior - CAPESSão Cristóvão, SEporSistema imunológico artificialSistema de detecção de intrusãoSistema de prevenção de intrusãoRede definida por software (SDN)Comutação em nuvemArtificial immune system (AIS)Intrusion detection system (IDS)Intrusion prevent system (IPS)Cloud computingSoftware-defined networking (SDN)CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAOAbordagem imunológica de segurança baseada em correlação de alertas e redes programáveisinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisPós-Graduação em Ciência da ComputaçãoUFSreponame:Repositório Institucional da UFSinstname:Universidade Federal de Sergipe (UFS)instacron:UFSinfo:eu-repo/semantics/openAccessTEXTROBERTO_VASCONCELOS_MELO.pdf.txtROBERTO_VASCONCELOS_MELO.pdf.txtExtracted texttext/plain315910https://ri.ufs.br/jspui/bitstream/riufs/10758/3/ROBERTO_VASCONCELOS_MELO.pdf.txt2b71f1295e43342b3907457bd50c7477MD53THUMBNAILROBERTO_VASCONCELOS_MELO.pdf.jpgROBERTO_VASCONCELOS_MELO.pdf.jpgGenerated Thumbnailimage/jpeg1273https://ri.ufs.br/jspui/bitstream/riufs/10758/4/ROBERTO_VASCONCELOS_MELO.pdf.jpg9a45d921d85fc0b4aa00816382a96ef7MD54LICENSElicense.txtlicense.txttext/plain; charset=utf-81475https://ri.ufs.br/jspui/bitstream/riufs/10758/1/license.txt098cbbf65c2c15e1fb2e49c5d306a44cMD51ORIGINALROBERTO_VASCONCELOS_MELO.pdfROBERTO_VASCONCELOS_MELO.pdfapplication/pdf7169144https://ri.ufs.br/jspui/bitstream/riufs/10758/2/ROBERTO_VASCONCELOS_MELO.pdfb7afa95cbc1d55409ee32c2046a455d5MD52riufs/107582019-03-25 20:08:57.322oai:ufs.br:riufs/10758TElDRU7Dh0EgREUgRElTVFJJQlVJw4fDg08gTsODTy1FWENMVVNJVkEKCkNvbSBhIGFwcmVzZW50YcOnw6NvIGRlc3RhIGxpY2Vuw6dhLCB2b2PDqiAobyBhdXRvcihlcykgb3UgbyB0aXR1bGFyIGRvcyBkaXJlaXRvcyBkZSBhdXRvcikgY29uY2VkZSDDoCBVbml2ZXJzaWRhZGUgRmVkZXJhbCBkZSBTZXJnaXBlIG8gZGlyZWl0byBuw6NvLWV4Y2x1c2l2byBkZSByZXByb2R1emlyIHNldSB0cmFiYWxobyBubyBmb3JtYXRvIGVsZXRyw7RuaWNvLCBpbmNsdWluZG8gb3MgZm9ybWF0b3Mgw6F1ZGlvIG91IHbDrWRlby4KClZvY8OqIGNvbmNvcmRhIHF1ZSBhIFVuaXZlcnNpZGFkZSBGZWRlcmFsIGRlIFNlcmdpcGUgcG9kZSwgc2VtIGFsdGVyYXIgbyBjb250ZcO6ZG8sIHRyYW5zcG9yIHNldSB0cmFiYWxobyBwYXJhIHF1YWxxdWVyIG1laW8gb3UgZm9ybWF0byBwYXJhIGZpbnMgZGUgcHJlc2VydmHDp8Ojby4KClZvY8OqIHRhbWLDqW0gY29uY29yZGEgcXVlIGEgVW5pdmVyc2lkYWRlIEZlZGVyYWwgZGUgU2VyZ2lwZSBwb2RlIG1hbnRlciBtYWlzIGRlIHVtYSBjw7NwaWEgZGUgc2V1IHRyYWJhbGhvIHBhcmEgZmlucyBkZSBzZWd1cmFuw6dhLCBiYWNrLXVwIGUgcHJlc2VydmHDp8Ojby4KClZvY8OqIGRlY2xhcmEgcXVlIHNldSB0cmFiYWxobyDDqSBvcmlnaW5hbCBlIHF1ZSB2b2PDqiB0ZW0gbyBwb2RlciBkZSBjb25jZWRlciBvcyBkaXJlaXRvcyBjb250aWRvcyBuZXN0YSBsaWNlbsOnYS4gVm9jw6ogdGFtYsOpbSBkZWNsYXJhIHF1ZSBvIGRlcMOzc2l0bywgcXVlIHNlamEgZGUgc2V1IGNvbmhlY2ltZW50bywgbsOjbyBpbmZyaW5nZSBkaXJlaXRvcyBhdXRvcmFpcyBkZSBuaW5ndcOpbS4KCkNhc28gbyB0cmFiYWxobyBjb250ZW5oYSBtYXRlcmlhbCBxdWUgdm9jw6ogbsOjbyBwb3NzdWkgYSB0aXR1bGFyaWRhZGUgZG9zIGRpcmVpdG9zIGF1dG9yYWlzLCB2b2PDqiBkZWNsYXJhIHF1ZSBvYnRldmUgYSBwZXJtaXNzw6NvIGlycmVzdHJpdGEgZG8gZGV0ZW50b3IgZG9zIGRpcmVpdG9zIGF1dG9yYWlzIHBhcmEgY29uY2VkZXIgw6AgVW5pdmVyc2lkYWRlIEZlZGVyYWwgZGUgU2VyZ2lwZSBvcyBkaXJlaXRvcyBhcHJlc2VudGFkb3MgbmVzdGEgbGljZW7Dp2EsIGUgcXVlIGVzc2UgbWF0ZXJpYWwgZGUgcHJvcHJpZWRhZGUgZGUgdGVyY2Vpcm9zIGVzdMOhIGNsYXJhbWVudGUgaWRlbnRpZmljYWRvIGUgcmVjb25oZWNpZG8gbm8gdGV4dG8gb3Ugbm8gY29udGXDumRvLgoKQSBVbml2ZXJzaWRhZGUgRmVkZXJhbCBkZSBTZXJnaXBlIHNlIGNvbXByb21ldGUgYSBpZGVudGlmaWNhciBjbGFyYW1lbnRlIG8gc2V1IG5vbWUocykgb3UgbyhzKSBub21lKHMpIGRvKHMpIApkZXRlbnRvcihlcykgZG9zIGRpcmVpdG9zIGF1dG9yYWlzIGRvIHRyYWJhbGhvLCBlIG7Do28gZmFyw6EgcXVhbHF1ZXIgYWx0ZXJhw6fDo28sIGFsw6ltIGRhcXVlbGFzIGNvbmNlZGlkYXMgcG9yIGVzdGEgbGljZW7Dp2EuIAo=Repositório InstitucionalPUBhttps://ri.ufs.br/oai/requestrepositorio@academico.ufs.bropendoar:2019-03-25T23:08:57Repositório Institucional da UFS - Universidade Federal de Sergipe (UFS)false |
dc.title.pt_BR.fl_str_mv |
Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis |
title |
Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis |
spellingShingle |
Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis Melo, Roberto Vasconcelos Sistema imunológico artificial Sistema de detecção de intrusão Sistema de prevenção de intrusão Rede definida por software (SDN) Comutação em nuvem Artificial immune system (AIS) Intrusion detection system (IDS) Intrusion prevent system (IPS) Cloud computing Software-defined networking (SDN) CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAO |
title_short |
Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis |
title_full |
Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis |
title_fullStr |
Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis |
title_full_unstemmed |
Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis |
title_sort |
Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis |
author |
Melo, Roberto Vasconcelos |
author_facet |
Melo, Roberto Vasconcelos |
author_role |
author |
dc.contributor.author.fl_str_mv |
Melo, Roberto Vasconcelos |
dc.contributor.advisor1.fl_str_mv |
Macedo, Douglas Dyllon Jeronimo de |
contributor_str_mv |
Macedo, Douglas Dyllon Jeronimo de |
dc.subject.por.fl_str_mv |
Sistema imunológico artificial Sistema de detecção de intrusão Sistema de prevenção de intrusão Rede definida por software (SDN) Comutação em nuvem |
topic |
Sistema imunológico artificial Sistema de detecção de intrusão Sistema de prevenção de intrusão Rede definida por software (SDN) Comutação em nuvem Artificial immune system (AIS) Intrusion detection system (IDS) Intrusion prevent system (IPS) Cloud computing Software-defined networking (SDN) CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAO |
dc.subject.eng.fl_str_mv |
Artificial immune system (AIS) Intrusion detection system (IDS) Intrusion prevent system (IPS) Cloud computing Software-defined networking (SDN) |
dc.subject.cnpq.fl_str_mv |
CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAO |
description |
In the security field, anomaly detection techniques have been developed to detect traffic patterns related to attacks or malicious activities and are often referred to as anomalies. Particularly, some anomalies can represent attackers launching Distributed Denial-of-Service (DDoS) in order to degrade services availability. Threats in the DoS category can involve early-stage actions such as probe attacks. In this type of attack, a network is scanned in order to find vulnerable hosts and compromise them. As a result, the detected vulnerabilities enable unauthorized access to the machines through user to root (U2R) and remote to local (R2L) attacks. The compromised machines could be used in order to cause a denial of service against a particular target. These attack classes include threats that can hide in normal traffic due to low required attack intensity. In addition, anomaly-based detection techniques have a high false alarm rate, which helps in reducing the detection efficiency. This work aims to present a security model with detection and prevention functions against attacks that exploit the vulnerabilities of the cloud infrastructure to mitigate the previously mentioned problems. This model consists of the concepts of immunology, alert correlation, and software-defined networks (SDN). It consists of a distributed intrusion detection system based on anomaly detection within the artificial immune system (AIS) approach and attack graph correlation. Through this approach, an anomaly-based intrusion detection system inside the AIS field works with attack graph based correlation. The Negative Selection, Clonal Selection and Immune Network algorithms are used to implement an agent-based detection system to analyze network traffic. The described system works in conjunction with attack graphs and an alert correlation algorithm which can aid in the false alarm reduction rate. Attack graphs can also aid in the countermeasure selection through SDN technology. The SDN countermeasures can assist in attack prevention through traffic redirection, traffic isolation, network topology change, and IP address change. The proposed system was tested through the network traffic collected from the virtual machines on Amazon Web Service (AWS). The collected traffic data was converted to datasets in the NSL-KDD format. The addition of alert correlation technique in the proposed security approach increased detection efficiency for all studied attack classes. |
publishDate |
2018 |
dc.date.issued.fl_str_mv |
2018-12-12 |
dc.date.accessioned.fl_str_mv |
2019-03-25T23:08:57Z |
dc.date.available.fl_str_mv |
2019-03-25T23:08:57Z |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
format |
masterThesis |
status_str |
publishedVersion |
dc.identifier.citation.fl_str_mv |
MELO, Roberto Vasconcelos. Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis. 2018. 142 f. Dissertação (Mestrado em Ciência da Computação) - Universidade Federal de Sergipe, São Cristóvão, SE, 2018. |
dc.identifier.uri.fl_str_mv |
http://ri.ufs.br/jspui/handle/riufs/10758 |
identifier_str_mv |
MELO, Roberto Vasconcelos. Abordagem imunológica de segurança baseada em correlação de alertas e redes programáveis. 2018. 142 f. Dissertação (Mestrado em Ciência da Computação) - Universidade Federal de Sergipe, São Cristóvão, SE, 2018. |
url |
http://ri.ufs.br/jspui/handle/riufs/10758 |
dc.language.iso.fl_str_mv |
por |
language |
por |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.publisher.program.fl_str_mv |
Pós-Graduação em Ciência da Computação |
dc.publisher.initials.fl_str_mv |
UFS |
dc.source.none.fl_str_mv |
reponame:Repositório Institucional da UFS instname:Universidade Federal de Sergipe (UFS) instacron:UFS |
instname_str |
Universidade Federal de Sergipe (UFS) |
instacron_str |
UFS |
institution |
UFS |
reponame_str |
Repositório Institucional da UFS |
collection |
Repositório Institucional da UFS |
bitstream.url.fl_str_mv |
https://ri.ufs.br/jspui/bitstream/riufs/10758/3/ROBERTO_VASCONCELOS_MELO.pdf.txt https://ri.ufs.br/jspui/bitstream/riufs/10758/4/ROBERTO_VASCONCELOS_MELO.pdf.jpg https://ri.ufs.br/jspui/bitstream/riufs/10758/1/license.txt https://ri.ufs.br/jspui/bitstream/riufs/10758/2/ROBERTO_VASCONCELOS_MELO.pdf |
bitstream.checksum.fl_str_mv |
2b71f1295e43342b3907457bd50c7477 9a45d921d85fc0b4aa00816382a96ef7 098cbbf65c2c15e1fb2e49c5d306a44c b7afa95cbc1d55409ee32c2046a455d5 |
bitstream.checksumAlgorithm.fl_str_mv |
MD5 MD5 MD5 MD5 |
repository.name.fl_str_mv |
Repositório Institucional da UFS - Universidade Federal de Sergipe (UFS) |
repository.mail.fl_str_mv |
repositorio@academico.ufs.br |
_version_ |
1802110851227844608 |