Hybrid Intrusion Detection System and Network Infrastructure Vulnerability Mitigation using Active Response (XDR) Technique Wazuh and Suricata
Article Sidebar
Read Counter : 19
Download : 11
Main Article Content
Abstract
The complexity of cyber threats against the network infrastructure of companies, educational institutions, and government makes protecting network infrastructure a top priority. Router and server devices are highly vulnerable to various types of cyber threats, requiring comprehensive detection and response solutions. This research will implement an intrusion detection system by integrating SIEM technology and Wazuh XDR (Extended Detection and Response). This system analyzes index pattern data from Wazuh agent devices to detect and respond to attacks using the XDR active response firewall. The testing was conducted MikroTik RouterOS, Ubuntu Server 20.04 as Wazuh agent to test reconnaissance attacks, brute force and DoS attacks. The results of the research show Nmap and brute force attacks were successfully detected by Wazuh manager and blocked the attacker IP malicious through active response. Detection of brute force attacks showed an increase in traffic of up to 60 Kbps and CPU usage reached 100%, then decreased after the active response firewall was activated. Authentication failure reached 2198 times in the first hour of the brute force attack. CPU usage increased from 20% to 85% during the attack and decreased to 15% after the active response firewall was activated. DoS attacks, on MikroTik experienced an increase in CPU usage of up to 61% and memory of 67%. After activating the active response firewall, CPU usage decreased to 3%. Traffic on the MikroTik interface increased to 3.3 Mbps during the attack, then decreased to 1 Kbps after the firewall was activated
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
The proposed policy for journals that offer open access
Authors who publish with this journal agree to the following terms:
- Copyright on any article is retained by the author(s).
- Author grant the journal, right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work’s authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal’s published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.
- The article and any associated published material is distributed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License
References
Akbar, S., Endroyono, & Wibawa, A. D. (2017). The impact analysis and mitigation of DDoS attack on local government electronic procurement service (LPSE). Proceeding - 2016 International Seminar on Intelligent Technology and Its Application, ISITIA 2016: Recent Trends in Intelligent Computational Technologies for Sustainable Energy, 36, 405–410. https://doi.org/10.1109/ISITIA.2016.7828694
BSSN. (2022). Lanskap Keamanan Siber Indonesia 2022. Badan Siber Dan Sandi Negara, 70.
Ceron, M., & Scholten, C. (n.d.). [IEEE NOMS 2020-2020 IEEE_IFIP Network Operations and Management Symposium - Budapest, Hungary (2020.4.20-2020.4.24)] NOMS 2020 - 2020 IEEE_IFIP Network Operations and Management Symposium - MikroTik Devices Lan.pdf.
Damanik, H. A., & Anggraeni, M. (2024). Pola Pengelompokan dan Pencegahan Public Honeypot menggunakan Teknik K-Means dan Automation Shell-Script. 12(1), 65–79.
Damanik, H. A., Anggraeni, M., & Nusantari, F. A. A. (2023). Konsep dan Penerapan Switching dan Routing Implementasi Jaringan Komputer Berbasis Cisco (Riana Kusumawati (ed.)). CV. Mega Press Nusantara.
Helmiawan, M. A., Julian, E., Cahyan, Y., & Saeppani, A. (2021). Experimental Evaluation of Security Monitoring and Notification on Network Intrusion Detection System for Server Security. 2021 9th International Conference on Cyber and IT Service Management, CITSM 2021, 1–6. https://doi.org/10.1109/CITSM52892.2021.9588988
Howard, W., & Borowczak, M. (2020). Detecting DDoS Attacks near the Edge with Router Canaries. IEEE International Conference on Consumer Electronics - Berlin, ICCE-Berlin, 2020-Novem, 18–21. https://doi.org/10.1109/ICCE-Berlin50680.2020.9352164
Subhan, A., Kunang, Y. N., & Yadi, I. Z. (2023). Analyzing the Attack Pattern of Brute Force Attack on SSH Port. Proceeding - International Conference on Information Technology and Computing 2023, ICITCOM 2023, 67–72. https://doi.org/10.1109/ICITCOM60176.2023.10441929
Suhendi, M. R. A., Alfarizi, Sukmandhani, A. A., & Prabowo, Y. D. (2023). Network Anomaly Detection Analysis using Artillery Honeypot and Wazuh SIEM. 2023 IEEE 9th International Conference on Computing, Engineering and Design (ICCED), 1–6. https://doi.org/10.1109/ICCED60214.2023.10425009
Suryantoro, T., & Sari, D. F. (2022). Analisa Serangan Terhadap Port 80 Webserver Dengan SIEM Wazuh Menggunakan Metode Deteksi Dan OSCAR. September, 1–6.
Triantopoulou, S., Papanikas, D., & Kotzanikolaou, P. (2019). An Experimental Analysis of Current DDoS attacks Based on a Provider Edge Router Honeynet. 10th International Conference on Information, Intelligence, Systems and Applications, IISA 2019, 1–5. https://doi.org/10.1109/IISA.2019.8900732