Performing real-time threat assessment of security incidents using data fusion of IDS logs

Article type: Research Article

Authors: Blyth, Andrew | Thomas, Paula

Affiliations: School of Computing, University of Glamorgan, Pontypridd, CF37 1DL, UK. E-mail: [email protected], [email protected]

Abstract: The vulnerability of network infrastructure was illustrated in 1996 when the Internet Domain Name entry for East Timor was removed from various DNS servers. The net effect of this attack was that to all intents and purposes East Timor was removed from the Internet. Now imagine a time a few years in the further when the USA and Europe are all doing business online and imagine what would happen if all .com entries vanished from the Internet. Modern IDS systems simply log events, they do very little else with the data. In this paper, I will demonstrate how network traffic can be analysed to produce a system that is capable of performing real-time (or near-real time) threat analysis of an attack as it happens. This type of analysis offers us the ability to eventually deploy countermeasures thus stopping, or limiting, an attack.

Keywords: Threat assessment, data fusion, intrusion detection systems, footprinting

DOI: 10.3233/JCS-2006-14602

Journal: Journal of Computer Security, vol. 14, no. 6, pp. 513-534, 2006