A Study of Alert-Based Collaborative Defense

• Main Authors: Hsin Wen-Yi, 辛文義
• Other Authors: Shian-Shyong Tseng
• Format: Others
• Language: en_US
• Published: 2005
• Online Access: http://ndltd.ncl.edu.tw/handle/47592549324960755416

碩士 === 國立交通大學 === 電機資訊學院碩士在職專班 === 93 === This thesis proposes a lightweight alert-based collaborative defense solution. We notice that malicious attack is difficult to prevent in the enterprise interior. Because it is hard to analyze a large number of logs and alerts, the administrator can not control the situation and make decision immediately. The Worms, Virus and Trojan spread rapidly, the scale of the problem is large and growing rapidly. Modern Security Systems have many predicaments. We had discussed the intrusion detection, distributed intrusion system, collaborative defense system, security information sharing mechanism and alert analysis in this thesis. We propose a framework for collaborative defense by extending the original distributed intrusion detection model. It contains alert’s collector, extractor, analyzer, report’s generator, alert warehouse and alert’s analysis. Besides, we develop a hybrid approach to share security information like raising the wolf smoke to warn partners. By the security information sharing, the members of CSIRT can obtain the solutions of defense, such as blacklists, detection rules, and security knowledge about alerts. The framework provides a solution to build effective cooperative security teams for academia and industry. We evaluate the feasibility of our framework and track the spreading behaviors of the SQL Slammer Worm. As a result, we can deploy security system more widely and detect the aggressor's behavior more accurately. The alert-based collaborative defense mechanism can help members to evaluate the impact of the threats and take proper actions to mitigate the risk.