The main objective of the RECLAMO project is the research on novel approaches for reacting to network attacks. So, the project will try to go beyond the classic Intrusion Detection Systems approach, based on intrusion detection and basic reactions, and will define, develop and validate an intelligent Automatic Intrusion Response System able to generate new and advanced reactions, with a special focus on the so-called "deception-based" responses: the diversion of the attack to a dynamically ad-hoc generated honeynet for the attack to be adequately confined in order to mitigate it and learn from it. In this approach, a detected intrusion will be analysed in real time using a model of intrusions, responses and security metrics formally defined with formal knowledge and behaviour definition languages, which allow triggering an inference process from the detected intrusion.
The main novelty of the project is the integration of different techniques for the automated Intrusion Response System (IRS):
-
Autonomic Systems, based on reasoning with formally-defined security metrics, which will infer the most appropriate response to that incident, taking into account many other parameters related to the intrusion, the context, the attack source, etc.
-
Self-protection, as one of the four features of any autonomous system, is the key concept driving the main component of the RECLAMO architecture.
-
Exchange of security information and alerts between different Intrusion Detection Networks (IDN) that will be working collaboratively (in what is also called Collaborative Intrusion Detection Network or CIDN) to detect and defend against intrusions and attacks. This exchange of information will be done only with those IDN networks that are considered as trustworthy according to a trust a reputation model.
-
Trust and Reputation Management models in order to provide to the autonomic system information about the confidence of the different attack components (IDS, source node and network, past interactions between the protected network and the source network etc.)
-
Novel response approaches based on the dynamic generation and deployment of honeynets. These honeynets will be optimized and adapted for each attack, and will be based on virtualization technologies, thus enabling the creation of the concept of Virtualised Honeynets and serving as a key component for mitigating attacks and reacting automatically to intrusion detections. Virtualisation is also used in our proposal to increase the availability of the services under attack, so the final user will not perceiving any difference in the service provision process.
- Response evaluation and learning functionalities, for providing the autonomic system information about the success or failure of previous similar reactions. Thus, once the system has inferred a response and this response is executed, it is necessary to evaluate the result of that response, in order to get feedback for further inferences.
-
The use of Ontologies and Formal Behaviour Definition Languages, like OWL and SWRL, allows the system to infer the most appropriate response. They will allow applying the autonomic systems and Semantic Web technologies and tools for implementing the intelligent Automatic Intrusion Response System.