A High Performance System for Intrusion Detection and Reaction Management

Detecting all kinds of intrusions efficiently requires a global view of the monitored network. This can only be achieved with an architecture which is able to gather data from all sources. We have developed a security operation center called SOCBox which is able to detect coordinated attacks that are not detected by traditional ressources_idS. In this article, we present the global architecture of the SOCBox as well as several methods used to test its accuracy and performance. A real ISP network have been used as well as experiments in our lab.