big data based security analytics in cybersecurity › computerscience › files › 2018 › 03 ›...
TRANSCRIPT
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Big Data based security analytics in cybersecurity
Dr. Thu Yein Win
Faculty of Business,Computing, & Applied SciencesUniversity of Gloucestershire
Cheltenham GL50 2RH, United KingdomEmail:[email protected]
November 10, 2016
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Overview
1 About me
2 Security analytics
3 Different cybersecurity attacks
4 Rationale behind security analytics
5 Security analytics architecture
6 Conclusion
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
About Me
Name: Thu Yein Win
Research areas:Cloud SecurityBig Data Security AnalyticsComputer Vision
Current role:Lecturer (Computing) @University of Gloucestershire
Previous roles:PhD researcher @ GlasgowCaledonian UniversityLecturer @ RMIT Vietnam
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Security analytics
Security analytics refers to the use of Big Data analytics incybersecurity
Involves collection of data from different network points
Uses Big Data analytics to identify previously-undiscoveredthreats
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Different cybersecurity attacks
Advanced Persistent Threats (APT )
More often than not state-sponsored (e.g., Stuxnet)Perform “low and slow” attacksRemain in the network over long periods of time
Botnets
Consists of a bot master and a collection of slave botsControlled through a C & C server
Drive-by malware
Automatically downloads itself onto a user’s computerExploits one/more browser vulnerabilities
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
SIEMLimitations of SIEM
Rationale behind security analytics
Monitoring security threats typically involves the use of bothHIDS and NIDS
However they are limited in terms of their
monitoring scopesuse of signature database
Security Information & Event Management (SIEM) systemsused as alternative
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
SIEMLimitations of SIEM
Security Information & Event Management
Provides a holistic view of network behaviour
Consists of two componentsSecurity Information Management (SIM)
Supports network and host log collection
Security Event Management (SEM)
Supports the guest and network behaviour analysisProvides visualisation of network behaviour
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
SIEMLimitations of SIEM
Limitations of SIEM
While SIEM provides a holistic network behaviour, it is limitedin terms of
Incorporating additional data sources
Limited in processing heterogeneous dataResults in “blind spots”
Processing large amounts of data
Uses relational database to store correlation rulesLimited in supporting real-time large scale event correlation
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Security analytics stagesWell-known security analytics approaches
Architecture
Designed to overcome the limitations of existing SIEM-basedapproaches
Usually implemented on a large scale network
Features the use of tools such as Apache Hadoop,MapReduce, and Apache Cassandra
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Security analytics stagesWell-known security analytics approaches
Figure: Infrastructure setup
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Security analytics stagesWell-known security analytics approaches
Data collection
Collects both the in-guest behaviour and the traffic flowsbetween them
Once obtained, the obtained data is then represented either as
A correlation graph; orClusters grouping similar features together
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Security analytics stagesWell-known security analytics approaches
Feature extraction
Typically features the use of a MapReduce framework
During the Map phase, feature occurrence are countedThe Reduce phase then consolidates features having the samecharacteristics
The MapReduce output is then used for attack detection
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Security analytics stagesWell-known security analytics approaches
Figure: Graph before MapReduce
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Security analytics stagesWell-known security analytics approaches
Figure: Graph after MapReduce
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Security analytics stagesWell-known security analytics approaches
Attack detection
Once extracted, attack detection is done on the features
Can be broken down into two categories
Cluster-based
Involves organising unlabelled features into groupsDesigned to generate a generalised pattern
Graph-based
Correlates the log events as a graphAccurately identifies the sequence of events and theirinter-relationships
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Security analytics stagesWell-known security analytics approaches
Figure: Typical security analytics software stack
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Security analytics stagesWell-known security analytics approaches
Well-known security analytics approaches
Approach Strengths Limitations Proposedapproach
Beehive [2] Threat detection Unable to Real-timeusing PCA perform threaton large real-time detectionamounts threatof data detection
BotCloud [1] Detects Limited Wide monitoringbotnet monitoring scopeattack scope (i.e., network andpatterns (i.e., network user application
logs) logs)
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Conclusion
With the popularity of Internet of Things, security analyticswill play a major role in cybersecurity
Different research areas worth exploring include
Use of both structured/unstructured data in threat correlationAbility to scale adaptivelyApplication different machine techniques (e.g., NN, deeplearning, etc) for threat detection
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Thank you
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Jerome Francois et al. “BotCloud: detecting botnets usingMapReduce”. In: Information Forensics and Security (WIFS),2011 IEEE International Workshop on. IEEE. 2011, pp. 1–6.
Ting-Fang Yen et al. “Beehive: Large-scale log analysis fordetecting suspicious activity in enterprise networks”. In:Proceedings of the 29th Annual Computer SecurityApplications Conference. ACM. 2013, pp. 199–208.
Dr. Thu Yein Win Security analytics in cybersecurity
About meSecurity analytics
Different cybersecurity attacksRationale behind security analytics
Security analytics architectureConclusionReferences
Q & A
Dr. Thu Yein Win Security analytics in cybersecurity