“Detecting Network Threats using OSINT Knowledge-based IDS”
in Proceedings of the 14th European Dependable Computing Conference (EDCC), Sept. 2018.
Abstract: Cybercrime has steadily increased over the last years, being nowadays the greatest security concern of most enterprises. Institutions often protect themselves from attacks by employing intrusion detection systems (IDS) that analyze the payload of packets to find matches with rules representing threats. However, the accuracy of these systems is as good as the knowledge they have about the threats. Nowadays, with the continuous flow of novel forms of sophisticated attacks and their variants, it is a challenge to keep an IDS updated. Open Source Intelligence (OSINT) could be explored to effectively obtain this knowledge, by retrieving information from diverse sources. This paper proposes a fully automated approach to update the IDS knowledge, covering the full cycle from OSINT data feed collection until the installation of new rules and blacklists. The approach was implemented as the IDSoSint system and was assessed with 49 OSINT feeds and production traffic. It was able to identify in real time various forms of malicious activities, including botnet C&C servers communications, remote access applications, brute-force attacks, and phishing events.
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)