RECLAMO

The use of automatic prevention, detection and reaction systems for attack and intrusion management is a key research topic in the last few years. In fact, companies and research groups worldwide are investing a lot of resources to make this concept of automated management of intrusions a reality. However, most of the current proposals and solutions have a narrow scope and have certain difficulties and limitations when dealing with large scale and distributed attacks like coordinated spam or phishing attacks, or distributed denial of services (DDoS), for example.

In this context, there are several advanced service management and security-related technologies that can be used when providing novel solutions to the proposed problem. Concepts like autonomic system, ontologies and Semantic Web, trust and reputation management, collaborative intrusion detection and prevention systems, self-protection, and virtualised honeynets should be considered as part of novel IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems) frameworks and systems. In this context, the RECLAMO project is aimed at designing and creating an advanced framework for enhancing current attack and intrusion detection and reaction proposals. To get this objective, the current workplan will be dealing with the different key technologies mentioned before and combining them in a single solution to provide an automated response system to attacks and intrusions. For this, the concept of self-protection (which is one of the four key characteristics of any autonomic system) will be the key concept driving the main component of the system, providing the ability to infer the most appropriate response for a given intrusion, taking into account not just the intrusion, but also many other parameters related to the intrusion, like the context, the trust and reputation of the network source, etc. This autonomic system will use formally defined information models (with ontologies) for combining intrusion information, self-evaluation learnt parameters, trust and reputation of the different involved elements and information coming from collaborative IDS/IPS systems in the same or different administrative domain. This information will be evaluated with a set of security metrics represented in a formally defined behaviour specification language, like SWRL, in order to reason and to infer the most appropriate response, taking into account all the inputs and other criteria specified in the security metrics.

One of the most promising approaches to intrusion response will be based on the dynamic generation and deployment of honeynets where the attacks will be diverted. These honeynets will be created ad-hoc for each attack and optimised for it, in order to get as much information as possible from each attack. This dynamic honeynet generation will be done by using advanced virtualization techniques able to generate large scale heterogeneous honeynets.