**3. The distributed intrusion forecasting system with the two stage system (Pontes et al, 2011)**

Intrusion Forecasting Systems (IFS) can work proactively in cyber security contexts, as early warning systems, in order to indicate or identify UIT (incidents, threats, attacks) in advance. IFS can also represent an improvement of IDPS, which is based on postmortem approaches (UIT is identified and/or blocked only after they can inflict serious damage to the computer systems). IFS predicts UIT by the use of different forecasting techniques (for instance, moving average, Fibonacci sequence etc) applied either for local or distributed environment. Additionally, for distributed environments, e.g. DIFS, the use of cooperative sensors can improve accuracy about predictions of incidents.

Fig. 6 depicts the proposal of this chapter, i.e. the DIFS and the forecasting levels. Similarly to forecasting methodologies used in other fields (e.g. Meteorology), DIFS also spreads agents and/or sensors widely to make predictions about the different kinds of UIT (spam, virus, intrusion, abnormal network traffic). There are four levels of the IFS: level 1 - independent security devices of hosts; level 2 - integrated security devices of hosts; level 3 - the network level; and level 4 - the backbone level. All levels have some communication degree among each other. In other words, the forecasts obtained from level 1 are shared and correlated to the forecasts of the other levels. Lower levels work as sensors to higher levels; consequently feedback about the UIT trends may be exchanged from one level to another.

Level 1 concerns the trend analysis about incidents, alerts and diagnosis reported independently by the hosts' security devices (antivirus, antispyware, host-based IDPS and other anomaly detector systems). For each security device, individual forecasts may be provided, e.g. the trend about spam for next hour or the day of tomorrow, or the trend about virus infection etc. The next step of the IFS level 1 is to help the hosts' security devices to determine whether or not they should adopt countermeasures to stop UIT

Level 2 involves correlation of forecasts about the hosts' security devices. At this level, the analysis lays on two databases: a) All the historical data generated from each one of the hosts' security devices are processed individually by the IFS first level, then stored in a database; b) The network flow may also be recorded for further forecasting analysis. The next step for the IFS level 2 is to query and to analyze the trends (forecasts) of such databases. After analyzing it, IFS level 2 returns a feedback to IFS level 1. It is important to notice that the databases of IFS level 1 work as sensors for IFS level 2.

Earthquake Prediction: Analogy with Forecasting

**4. Proof of concept** 

Models for Cyber Attacks in Internet and Computer Systems 115

2. The second task is done by the IFS, applying forecasting techniques over the EAS' generated data (historical series, without a considerable amount of FP). Several forecasting techniques may be adopted in this stage (e.g. EWMA, Fibonacci sequence, Markov chains). As illustrated by Fig. 7, EAS' generated data is the Entry 2 for the two

In this section we are going to describe two of the prototypes we have prepared and analysed. In the first one (Pontes et al, 2009), for the proof of concept, levels 1, 2 and 3 of the DIFS were implemented in three sites geographically divided (A, A' and A''). The following hardware and services were used: a) 1 Pentium core 2 quad 2.0 GHz, 8GB RAM; b) 2 Pentium core 2 duo 1.8 GHz, 4GB RAM; c) 10 virtual machines (Ubuntu 8.04) 512MB RAM; d) 4 virtual machines (WindowsXP) 512MB RAM; e) Windows Vista (host for the virtual

Likewise (Haslum et al, 2008), in this prototype the simulation of UIT was divided in just in four types: 1) Denial of service (DoS): Ping of Death and SYN Flood are examples of this kind of UIT; 2) Remote to local (R2L): SQL injection is an example of this kind of UIT, where typical vulnerabilities that are exploited is buffer overow and pure environment sanitation; 3) User to root (U2R): SQL injection is also example of this kind of UIT; 4) Probe (Scanning): Nmap, IPswep, Satan are examples of software for scanning. During eight weeks, we simulate usual network traffic and UIT among hosts in each site. Normal network traffic and UIT were also simulated among sites. H-IDPS (NIST SP800-94, 2007) was installed in each one of the hosts. N-IDPS (NIST SP800-94, 2007) was installed at the gateway. Fig. 8 illustrates the sites, hosts with normal activities and infected hosts. Infected hosts inflict UIT to the hosts of each site and to hosts from other sites, as pointed by arrows. In this prototype, the propagation of UIT was in the following sequence: from site A to site A', from site A and A' to site A", from site A, A' and A" to site A. For this prototype, IFS was developed in JAVA and it runs in the three levels of DIFS. The IDPS Snort was used to analyze the network traffic. All classified UIT is lately recorded in a MySQL database. IFS collects data from the database, analyzes them and next, when a particular threshold of UIT

For the second prototype (Pontes et al, 2009), the two stage system was implemented and employed in a wired LAN, specifically in a computer working as gateway for the Internet (level 3 of the DIFS). Elements of level 1 (logs from the OS) were used in the. Although level 3 of the DIFS was approached, level 1, 2 and 4 were disregarded in the second prototype. The reason for implementing only level 3 is the representativeness of the gateway level: (a) the simulated cyber-attacks and the real network traffic have just one path to reach the Internet: throughout

stage system. Sep 2 of the two stage system considers just data from Entry 2.

Fig. 7. Sequence of Steps: (1) EAS Filtering – (2) IFS (Pontes et al, 2011)

machines); VMware Player 2.51; Snort; Netfilter/Iptables; MySQL; OpenVPN.

is exceeded, a warning is sent to the IFS collaborators.

Fig. 6. DIFS Architecture - adapted from (Pontes & Guelfi, 2009)

The implementation of IFS level 3 happens at the gateway of the LAN. IFS level 3 is analogous to IFS level 2, as it queries databases generated by IFS levels 1 and 2. Likewise IFS level 1, some security devices may be installed at the gateway (as firewall, regular IDPS, etc) and they may also be analyzed. The steps for analysis at this level are: a) Network security devices record UIT in databases; IFS level 3 queries the databases provided by the lower levels and current level; b) IFS level 3 analyzes the provided databases to define trends; c) IFS level 3 provides feedback of the trend analysis to the security devices; d) IFS level 3 may also give feedback for the lower levels. It is important to notice that IFS level 1 and level 2 databases work as sensors for IFS level 3. The sensor elements may be more numerous at IFS level 3.

IFS level 4 is the major level. It considers the structure of the backbone providers (an ISP, for instance). In the same way IFS level 3 and level 2, different security devices are linked to the backbone level. The steps for IFS level 4 to work are: a) Backbone security devices record UIT in database; b) IFS level 4 queries the databases provided by the lower and current level; c) IFS level 4 analyzes the provided databases to define the trends; d) IFS level 4 provides feedback of the trend analysis to the current level; e) IFS level 4 may also give feedback for the lower levels. Similarly to lower levels, IFS level 4 uses the same concept of sensors: lower databases and the entire lower IFS levels are sensors for IFS level 4. An important note is: the IFS level 4 may be shared and correlated among various backbone providers. To correlate forecasts of IFS level 4 means to provide the most realistic and integrated trend about UIT, as it may spread sensors along the network (Lajara et al, 2007).

It is important to notice that for the IFS we implemented a two stage system (Pontes et al, 2011), intending to improve the forecasting results by the use of correlation. Fig. 7 presents the sequence of activities done by the system:

1. The first task is the multi-correlation, running the EAS, to filter FP and tracing sophisticated. During this step, OS's logs, IDPS's logs, network traffic and other logs are analyzed by the EAS. According to Fig. 4, diverse logs and network traffic represent the Entry 1 for the two stage system.

2. The second task is done by the IFS, applying forecasting techniques over the EAS' generated data (historical series, without a considerable amount of FP). Several forecasting techniques may be adopted in this stage (e.g. EWMA, Fibonacci sequence, Markov chains). As illustrated by Fig. 7, EAS' generated data is the Entry 2 for the two stage system. Sep 2 of the two stage system considers just data from Entry 2.

Fig. 7. Sequence of Steps: (1) EAS Filtering – (2) IFS (Pontes et al, 2011)
