| Summary: | Abstract. The Internet has connected the modern world. Nowadays anyone can access anything straight from their home computer. Everything and everyone has a presence in the cyber domain, including those who seek to conduct criminal activities. In response to this, the field of cyber security has been born. Cyber threat intelligence refers to information about cyber threats such as computers with open vulnerabilities and malicious Internet sites. The amount of available information is vast and the only way to handle such a large amount of data is automation. Threat intelligence sharing platforms have been developed for this task. They are used to fetch threat intelligence data from multiple sources, harmonize and analyze the data, and share it further. One part of the automation process is the integration of threat intelligence sharing platforms with other cyber security applications. The goal of this thesis was to integrate a new intrusion detection and prevention system into the Arctic Node threat intelligence sharing platform. Suricata was chosen as the integrated system. A new integration submodule was created for Arctic Node to convert threat intelligence collected by the platform into Suricata rules and send it automatically to Suricata. One of the prominent features of this new module was the capability to deduplicate the output data. The new integration submodule was compared to a similar functionality in another threat intelligence sharing platform, MISP. Testing was conducted in a custom virtual environment using real threat intelligence from seven different feeds. The results of these tests indicated that the new submodule was able to notice a greater number of possible threats, and it generated a more diverse set of different types of Suricata rules from the same input data. Deduplication was found to only have a small impact in reducing the size of the generated rule set as the overlap between different threat intelligence feeds was minimal.Arctic Node -alustan yhdistäminen Suricataohjelmaan. ...
|
|---|