Automated Incident Reporting (AirCERT) is a scalable distributed system for sharing security event data among administrative domains. Using AirCERT, organizations can exchange security data ranging from raw alerts generated automatically by network intrusion detection systems (and related sensor technology), to incident reports based on the assessments of human analysts. The infrastructure is designed around several formats for exchanging reports, including IODEF, IDMEF, and SNML, and provides a set of configurable data normalization tools for transforming data to the AirCERT framework. This framework automates the process of sanitization, normalization, and sharing -- enabling cooperation and coordination on an otherwise impractical scale, and making possible a whole new class of analyses.
The goal of AirCERT is to provide a capability to discern trends and patterns of intruder activity spanning multiple administrative domains. The underlying assumption is that given a sample of data from representative sites, it is possible to draw these conclusions; and with a larger enough sample, extrapolate activity at different sites. With regard to the collected data, the premise to AirCERT is that the sum is more than the individual parts.
The analytical products of AirCERT will enhance an organizations security posture by providing a framework to automatically confirm activity that the local security infrastructure detected, as well as, provide trends occurring on the larger Internet that may impact the organization.
The vast majority of the current code-base is implemented in C, Perl, or PHP. This code has been tested on Linux, Free/OpenBSD, and Mac OS X, but should be usable without change on other Unix platforms. Certain components will also run on Win32.