**2.1 Unwanted internet traffic and cyber attacks**

The expression "unwanted traffic" was first introduced in the eighties and it has always been related to malicious activity as worms, virus, intrusions etc (Feitosa et al, 2008). Reference (Feitosa et al, 2008) defines unwanted Internet traffic (UIT) as unproductive and useless traffic, with malicious (worms, scans, spam) and benign (wrong setting in the routers) events. Reference (Soto, 2005) completes this definition: UIT may result from the noise in the telecommunication network. (Andersson et al, 2007) classified UIT as the malicious or useless one, with the objective to compromise vulnerable hosts, to spread malicious code, spam, DoS and DDoS. UIT may also be junk traffic, background traffic and anomalous traffic.

Symposiums and workshops have been done about the issue of UIT, like the one promoted by Internet Architecture Board (IAB), on March 2006 (Andersson et al, 2007) and April 2008: the intention was to share information among people from different fields and organizations, fostering an interchange of experiences, views, and ideas between the various research communities. As a result, the Request for Comments (RFC) 4948 details the UIT types, the main causes, existent solutions and the actions to be taken in short and long term. It was decided, in this workshop, that some other research topics about UIT would be managed by the IAB, Internet Engineering Task Force (IETF) and Internet Research Task Force (IRTF).

According to (Feitosa et al, 2008), several of the losses caused by UIT are due to the inefficiency of today's techniques and security devices (anti-spam, antivirus, Intrusion Detection and Prevention Systems (IDPS) (NIST, 2010), firewalls), whether for detecting and preventing the intrusion, or to treat the UIT. Furthermore, the high rates of false positives, false negatives and the lack of a forecasting approach for the Internet traffic are some of the reasons of the UIT increasing. Internet attacks continue apace, with UIT, such as phishing, spam, and distributed denial of service attacks increasing steadily. However, it is important to classify whether it is unwanted or not: Voip (Skype), peer-to-peer (P2P), instant messengers (MSN, Google talk, ICQ), online social networks. Different classification may be employed from one company to another, from user to user, from country to country. China,

incidents in a proactive manner and to improve risk management employed for security of the homeland cyber space. A proof of concept of such architecture (DIFS) is presented, which allows concluding about the improvement of forecasts in the cyber space; furthermore, tests applied over two datasets - (Defense Advanced Research Projects Agency [DARPA], 1998) and (Knowledge Discovery and Data Mining Tools Competition [KDD], 1999) - with an IDPS have shown that the employed techniques define incidents trends. This chapter is organized as follows: state of art concerning forecasting and event correlation in IDPS are in section 2. Section 3 introduces the proposal of this chapter: the DIFS and the two stage system for correlation regarding cyber attacks. Section 4 presents details about the tests and environment to validate the proposal. Results are analyzed in

In this section we approach event correlation for detecting cyber-attacks, the forecasting methods used to predict cyber-attacks and Distributed Architecture for Intrusion

The expression "unwanted traffic" was first introduced in the eighties and it has always been related to malicious activity as worms, virus, intrusions etc (Feitosa et al, 2008). Reference (Feitosa et al, 2008) defines unwanted Internet traffic (UIT) as unproductive and useless traffic, with malicious (worms, scans, spam) and benign (wrong setting in the routers) events. Reference (Soto, 2005) completes this definition: UIT may result from the noise in the telecommunication network. (Andersson et al, 2007) classified UIT as the malicious or useless one, with the objective to compromise vulnerable hosts, to spread malicious code, spam, DoS and DDoS. UIT may also be junk traffic, background traffic and

Symposiums and workshops have been done about the issue of UIT, like the one promoted by Internet Architecture Board (IAB), on March 2006 (Andersson et al, 2007) and April 2008: the intention was to share information among people from different fields and organizations, fostering an interchange of experiences, views, and ideas between the various research communities. As a result, the Request for Comments (RFC) 4948 details the UIT types, the main causes, existent solutions and the actions to be taken in short and long term. It was decided, in this workshop, that some other research topics about UIT would be managed by the IAB, Internet Engineering Task Force (IETF) and Internet Research Task

According to (Feitosa et al, 2008), several of the losses caused by UIT are due to the inefficiency of today's techniques and security devices (anti-spam, antivirus, Intrusion Detection and Prevention Systems (IDPS) (NIST, 2010), firewalls), whether for detecting and preventing the intrusion, or to treat the UIT. Furthermore, the high rates of false positives, false negatives and the lack of a forecasting approach for the Internet traffic are some of the reasons of the UIT increasing. Internet attacks continue apace, with UIT, such as phishing, spam, and distributed denial of service attacks increasing steadily. However, it is important to classify whether it is unwanted or not: Voip (Skype), peer-to-peer (P2P), instant messengers (MSN, Google talk, ICQ), online social networks. Different classification may be employed from one company to another, from user to user, from country to country. China,

section 5 and section 6 summarizes conclusions and suggestions for new studies.

**2. State of art – Cyber attacks, event correlation and forecasting** 

Forecasting System (DIFS (Pontes & Guelfi, 2009), (Pontes & Zucchi, 2010).

**2.1 Unwanted internet traffic and cyber attacks** 

anomalous traffic.

Force (IRTF).

for instance, does not allow calls from Skype to telephones. Another example: routers for backbone providers and for small companies - the UIT is differently classified in both cases (Feitosa et al, 2008).
