The continuous evolution of information an … The continuous evolution of information and communication technologies, applications and services, have been made the computer an essential resource, nowadays, for performing several and different tasks, such as access to data and financial transactions. Alongside this evolution, the cybercrime has been increasing and unfortunately a common action. Its purpose is the illegal appropriation of private data, and monetization. The cyber-attacks have been more sophisticated, in such a way that their detection has been being more difficult and their damage increasingly devastating. This makes the cybercrime a concern for both enterprises and security professionals.
One of the most well-known techniques used to practice these crimes, is the creation and management of botnets. Botnets are networks composed by vulnerable devices (bots) such as computers, and controlled by criminal entities. Its use allows the anonymity of these entities when the attacks are performed.
Enterprises for protecting themselves from these attacks, they use defense mechanisms, such as intrusion detection systems (IDS), however, their effectiveness in detection of these attacks depends on their knowledge about threats and how they detect them, turning mandatory that IDSs have to be constantly updated with knowledge of new threats. This knowledge can be obtained from many public intelligence sources - Open Source Intelligence (OSINT), which are accessible at several locations on the Internet.
The main objective of this dissertation is the improvement of an intrusion detection architecture by using a IDS to detect hidden and dissimulated bots in the network infrastructure of the University of Lisbon. The presented solution proposes a rule and blacklist generator for IDS, using information from OSINT feeds collected and processed by a threat intelligence platform, and the automatic integration of the rules and blacklists in the IDS.
An experimental evaluation of the solution in a real environment was performed using 44 OSINT sources collected by the IntelMQ threat intelligence platform, and the Snort IDS. The proposed architecture detected threats of several categories. re detected threats of several categories.