Designing a Collaborative Defense System

Abstract

本篇論文提出一個以警報資料為基礎的聯合防禦解決方案。大量日誌記錄與警報資料很難分析，造成系統管理員無法掌控狀況且無法針對事件的處理做出立即的決策。我們延伸分散式入侵偵測的模式，提出一個聯合防禦的架構，包含警報收集、萃取、分析、回報、資料倉儲和分析。此外我們發展一個混合式的安全資訊分享的方法，就像升起狼煙警告其他夥伴一般，參與電腦安全事件回報團隊的成員能獲得安全防禦相關的解決資訊。這個架構提供學術界和企業界一個建立有效合作的安全聯防團隊方案。經由評估實驗，並追查出SQL Slammer 蠕蟲的傳播情形。結果發現，透過聯合防禦的機制，廣泛部署系統，能更加準確地追查出攻擊的行為，並且可以協助成員評估威脅的衝擊和採取適當的行動來降低風險。

This paper proposes a lightweight alert-based collaborative defense solution. Because it is hard to analyze a large number of logs and alerts, the administrator can not control the situation and make decision immediately. We propose a framework for collaborative defense by extending the original distributed intrusion detection model. It contains alert’s collector, extractor, analyzer, report’s generator, alert warehouse and alert’s analysis. Besides, we develop a hybrid approach to share security information like raising the wolf smoke to warn partners. By the security information sharing, the members of CSIRT can obtain the solutions of defense, such as blacklists, detection rules, and security knowledge about alerts. The framework provides a solution to build effective cooperative security teams for academia and industry. We evaluate the feasibility of our framework and track the spreading behaviors of the SQL Slammer Worm. As a result, we can deploy security system more widely and detect the aggressor`s behavior more accurately. The alert-based collaborative defense mechanism can help members to evaluate the impact of the threats and take proper actions to mitigate the risk.