Nexat was a research project in collaboration with Casey Cipriano, and Amir Houmansadr. Nexat tries to solve a problem a typical security administrator nowadays faces. The security administrators are normally overwhelmed with the amount of security alerts their monitoring tools generate. They also cannot keep up with the stream of the events and predict the next security related events. Therefore, the administrators are usually reactive.
The reason for this problem is that the battlefield of security is not even. A simple button hit by an attacker may cause thousands of alerts to be generated on administrators side. Nexat tries to even the field by deducing relationship between different sets of alerts. Nexat is able to detect related alerts (alerts which may be part of the same attack) and uses them to predict the next step of the attack. This way, Nexat lets the administrators to be one step ahead of the attackers. Nexat does not require a priori knowledge about attacks, which makes it able to detect and predict new types of attack as long as they are composed of detectable steps. We used the alerts generated by Snort in iCTF 2008.