A High Performance System for Intrusion Detection and Reaction Management (Anglais)

Detecting all kinds of intrusions efficiently requires a global view of the monitored network. This can only be achieved with an architecture which is able to gather data from all sources. We have developed a security operation center called SOCBox which is able to detect coordinated attacks that are not detected by traditional IDS. In this article, we present the global architecture of the SOCBox as well as several methods used to test its accuracy and performance. A real ISP network have been used as well as experiments in our lab.