Submitted by Luiza Maria Pereira de Oliveira (luiza.oliveira@ufpe.br) on 2015-05-15T14:58:14Z
No. of bitstreams: 2
license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5)
DISSERTAÇÃO Daniel Araújo Melo.pdf: 2348702 bytes, checksum: cdf9ac0421311267960355f9d6ca4479 (MD5) / Made available in DSpace on 2015-05-15T14:58:14Z (GMT). No. of bitstreams: 2
license_rdf: 1232 bytes, checksum: 66e71c371cc565284e70f40736c94386 (MD5)
DISSERTAÇÃO Daniel Araújo Melo.pdf: 2348702 bytes, checksum: cdf9ac0421311267960355f9d6ca4479 (MD5)
Previous issue date: 2014-09-08 / Modern virtual plagues, or malwares, have focused on internal host infection and em-ploy evasive techniques to conceal itself from antivirus systems and users. Traditional network security mechanisms, such as Firewalls, IDS (Intrusion Detection Systems) and Antivirus Systems, have lost efficiency when fighting malware propagation. Recent researches present alternatives to detect malicious traffic and malware propagation through traffic analysis, however, the presented results are based on experiments with biased artificial traffic or traffic too specific to generalize, do not consider the existence of background traffic related with local network services or demands previous knowledge of networks infrastructure. Specifically don’t consider a well-known intru-sion detection systems problem, the high false positive rate which may be responsible for 99% of total alerts. This dissertation proposes a framework (ARCA – Alerts Root Cause Analysis) capable of guide a security engineer, or system administrator, to iden-tify alerts root causes, malicious or not, and allow the identification of malicious traffic and false positives. Moreover, describes modern malwares propagation mechanisms, presents methods to detect malwares through analysis of IDS alerts and false positives reduction.
ARCA combines an aggregation method based on Relative Uncertainty with Apriori, a frequent itemset mining algorithm. Tests with 2 real datasets show an 88% reduction in the amount of alerts to be analyzed without previous knowledge of network infrastructure.
| Identifer | oai:union.ndltd.org:IBICT/oai:repositorio.ufpe.br:123456789/13946 |
| Date | 08 September 2014 |
| Creators | Melo, Daniel Araújo |
| Contributors | Sadok, Djamel Fawzi Hadj |
| Publisher | Universidade Federal de Pernambuco |
| Source Sets | IBICT Brazilian ETDs |
| Language | English |
| Detected Language | English |
| Type | info:eu-repo/semantics/publishedVersion, info:eu-repo/semantics/masterThesis |
| Source | reponame:Repositório Institucional da UFPE, instname:Universidade Federal de Pernambuco, instacron:UFPE |
| Rights | Attribution-NonCommercial-NoDerivs 3.0 Brazil, http://creativecommons.org/licenses/by-nc-nd/3.0/br/, info:eu-repo/semantics/openAccess |
Page generated in 0.0023 seconds