MAD: A Middleware Framework for Multi-step Attack Detection

Abstract

Signature-based network intrusion detection systems (NIDS) are one of the most popular tools used to detect and stop malicious attacks or unwanted actions. However, as network attacks become more sophisticated and diversified, the accuracy of signature-based NIDS that rely only on live network traffic decreases significantly. Recent research efforts have proposed to archive the raw contents of the network traffic stream to disk, in order to enable later inspection of activity that becomes interesting only in retrospect. Unfortunately, the ever increasing network traffic and capacity make the collection and archiving of multi-gigabit network streams very challenging. In this paper, we review different mechanisms and techniques to efficiently store the captured network traffic to disk. We also propose an architecture that will integrate all these mechanisms into a single middleware platform that will be used by network monitoring applications in order to enhance their functionalities. Our approach will offer the ability to analyze and correlate multiple security activities, as well as, in terms of forensic analysis, to perform post-mortem incident analysis in order to asses the given damage.