Network Security Alerts Management Architecture for Signature-Based Intrusions Detection Systems within a NAT Environment

Internet is providing essential communication between an infinite number of people and is being increasingly used as a tool for commerce. At the same time, security is becoming a tremendously important issue to deal with. Different network security solutions exist and contribute to enhanced security. From these solutions, Intrusion detection systems (IDS) have become one of the most common countermeasures for monitoring safety in computer systems and networks. The purpose of IDSs is distinguishing between intruders and normal users. However, IDSs report a massive number of isolated alerts. These isolated alerts represent low-level security-related events. Many of these isolated alerts are logically involved in a single multi-stage intrusion incident and a security officer often wants to analyze the complete incident instead of each individual simple alert. Another problem is that IDSs cannot work correctly with an environment managed with a NAT technique (Network Address Translation) since the host information (IP address and port number) are affected by the NAT devices. In order to address these limitations, the paper proposes a well-structured model to manage the massive number of isolated alerts and includes the NAT information in the IDS analysis. In fact, our solution permits to determine the real identities of entities implicated in security issues and abstracts the logical relation between alerts in order to support automatic correlation of those alerts involved in the same intrusion and to construct comprehensible attacks scenarios.