**1.3 Proposal**

The goal of this chapter is to propose a Distributed Intrusion Forecasting System (DIFS) with a two stage system which allows: (1) in the first stage it is possible to make a correlation of security alerts using an Event Analysis System (EAS); and (2) to apply forecasting techniques on the data (historical series) generated by the previous stage (EAS). The DIFS works with prediction models and sensors acting in different network levels (host, border and backbone), which enables the use of different forecasting techniques (e.g. Fibonacci sequence and moving averages), the cooperation among points of analysis and the correlation of predictions. Additionally to the main goal, the aim of this chapter is proposing an analogous approach for earthquake prediction. As results it is intended to increase reliability of incidents predictions (e.g. earthquake incidents, cyber attacks), to prevent

Earthquake Prediction: Analogy with Forecasting

**2.2 Approaches for correlation of security events** 

in lots of data; (3) the method works only for known vulnerabilities.

(Feitosa et al, 2008).

et al, 2001).

Guelfi, 2010), (Ning et al, 2001).

to Prerequisites of Resulting Alert (SID2).

Models for Cyber Attacks in Internet and Computer Systems 107

for instance, does not allow calls from Skype to telephones. Another example: routers for backbone providers and for small companies - the UIT is differently classified in both cases

Correlation techniques for security events can be classified into three categories: (1) rulebased, (2) based on anomaly and (3) based on causes and consequences (Prerequisites and Consequences (PC)) (Abad et al, 2003). The rule-based method requires some prior knowledge about the attack, so the target machine has to pass through a preparation phase called training. The goal of this phase is to make the target machine able to precisely detect the vulnerabilities in which the target machine was trained for (Abad et al, 2003), (Mizoguchi, 2000). Gaps of rule-based method are: (1) it is computer intensive; (2) it results

The method based on anomaly analyzes network data flow, using correlation with statistical methods, using accumulation of gathered information and using observations of the occurred deviations throughout processes of network data flow; in a manner to allow detecting new attacks. For instance, (Manikopoulos & Papavassiliou, 2002) demonstrates a system for detecting anomalies which is characterized by monitoring several parameters simultaneously. Reference (Valdes & Skinner, 2001) presents a probabilistic correlation proposed for IDPS, based on data fusion and multi-sensors. However, the method which uses anomaly cannot detect anomalous activity hidden in a normal process, if it is performed at very low levels. Besides, as this method analyzes normal processes reporting only wrong deviations, hence the method is not suitable for finding causes of attacks (Ning

The PC method lies on connections between causes (conditions for an attack to be true) and consequences (results of the exploitation of a cause), in order to correlate alerts based on the gathered information. This method is suitable for discovering strategies of attacks. Both causes and consequences are composed of information concerning attributes of alerts (specific features belonging to each alert) and are correlated. Arrangement of attributes is called tuple. According to Fig. 4, for the connections to be valid, a preparatory alert must have in its consequences at least one tuple, which repeats in the causes of the resulting alert. In other words, the preparatory alert contributes to the construction of the resulting alert, and therefore it can be correlated. For this connection, illustrated by Fig. 4, the timestamp of the preparatory alert has to come before the resulting alert (Silva & Guelfi, 2010), (Pontes &

Fig. 4. Connections Between Alerts - Consequence of Preparatory Alert (SID1) is Connected

incidents in a proactive manner and to improve risk management employed for security of the homeland cyber space. A proof of concept of such architecture (DIFS) is presented, which allows concluding about the improvement of forecasts in the cyber space; furthermore, tests applied over two datasets - (Defense Advanced Research Projects Agency [DARPA], 1998) and (Knowledge Discovery and Data Mining Tools Competition [KDD], 1999) - with an IDPS have shown that the employed techniques define incidents trends.

This chapter is organized as follows: state of art concerning forecasting and event correlation in IDPS are in section 2. Section 3 introduces the proposal of this chapter: the DIFS and the two stage system for correlation regarding cyber attacks. Section 4 presents details about the tests and environment to validate the proposal. Results are analyzed in section 5 and section 6 summarizes conclusions and suggestions for new studies.
