Abstract
The advent of massive and highly heterogeneous information systems poses major challenges to professionals responsible for IT security. The huge amount of monitoring data currently being generated means that no human being or group of human beings can cope with their analysis. Furthermore, fully automated tools still lack the ability to track the associated events in a fine-grained and reliable way. Here, we propose the HuMa framework for detailed and reliable analysis of large amounts of data for security purposes. HuMa uses a multi-analysis approach to study complex security events in a large set of logs. It is organized around three layers: the event layer, the context and attack pattern layer, and the assessment layer. We describe the framework components and the set of complementary algorithms for security assessment. We also provide an evaluation of the contribution of the context and attack pattern layer to security investigation.
This work was partially supported by the French Banque Publique d’Investissement (BPI) under program FUI-AAP-19 in the frame of the HuMa project.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abraham, S., Nair, S.: A predictive framework for cyber security analytics using attack graphs. Int. J. Comput. Netw. Commun. (2015). http://arxiv.org/abs/1502.01240
Allodi, L., Massacci, F.: A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets. In: Proceedings of the 2012 ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2012, pp. 17–24. ACM, New York (2012). https://doi.org/10.1145/2382416.2382427
Arnold, F., Hermanns, H., Pulungan, R., Stoelinga, M.: Time-dependent analysis of attacks. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 285–305. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_16
Benali, F., Ubéda, S., Legrand, V.: Collaborative approach to automatic classification of heterogeneous information security. In: Second International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2008, pp. 294–299. IEEE (2008)
Camtepe, S., Yener, B.: Modeling and detection of complex attacks. In: SecureComm Third International Conference on Security and Privacy in Communications Networks and the Workshops, pp. 234–243, September 2007
Chen, B., Lee, J., Wu, A.S.: Active event correlation in Bro IDS to detect multi-stage attacks. In: Fourth IEEE International Workshop on Information Assurance (IWIA 2006), pp. 16–50. IEEE, London (2006)
Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Zúquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63–72. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44885-4_5
Chen, T.M., Abu-Nimeh, S.: Lessons from stuxnet. Computer 44(4), 91–93 (2011)
Coudriau, M., Lahmadi, A., Francois, J.: Topological analysis and visualisation of network monitoring data: darknet case study. In: International Workshop on Information Forensics and Security (WIFS). IEEE, Abu Dhabi (2016)
Cui, Z., Herwono, I., Kearney, P.: Multi-stage attack modelling. In: Proceedings of Cyberpatterns 2013, pp. 78–89 (2013)
De Santis, G., Lahmadi, A., Francois, J., Festor, O.: Modeling of IP scanning activities with hidden Markov models: darknet case study. In: 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5. IEEE (2016)
Flåten, O., Lund, M.S.: How good are attack trees for modelling advanced cyber threats? Norw. Inf. Secur. Conf. (NISK) 7(1) (2014)
Friedberg, I., Skopik, F., Settanni, G., Fiedler, R.: Combating advanced persistent threats: from network event correlation to incident detection. Comput. Secur. 48, 35–57 (2015)
Giura, P., Wang, W.: Using large scale distributed computing to unveil advanced persistent threats. Science 1(3), 93 (2013)
Kordy, B., Piètre-Cambacèdés, L., Schweitzer, P.: Dag-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14, 1–38 (2014)
Kotenko, I., Chechulin, A.: A cyber attack modeling and impact assessment framework. In: 2013 5th International Conference on Cyber Conflict (CYCON 2013), pp. 1–24, June 2013
Lagraa, S., Legrand, V., Minier, M.: Behavioral change-based anomaly detection in computer networks using data mining. Int. J. Network Manag. (Submitted)
Le, Q., Mikolov, T.: Distributed representations of sentences and documents. In: Jebara, T., Xing, E.P. (eds.) Proceedings of the 31st International Conference on Machine Learning (ICML 2014), pp. 1188–1196. JMLR Workshop and Conference Proceedings (2014)
Legrand, V., State, R., Paffumi, L.: A dangerousness-based investigation model for security event management. In: The Third International Conference on Internet Monitoring and Protection, ICIMP 2008, pp. 109–118. IEEE (2008)
Legrand, V., Ubeda, S.: Enriched diagnosis and investigation models for security event correlation. In: Second International Conference on Internet Monitoring and Protection, ICIMP 2007, p. 1. IEEE (2007)
Legrand, V.: Confiance et risque pour engager un échange en milieu hostile. Ph.D. thesis, INSA-Lyon (2013)
Marchetti, M., Colajanni, M., Manganiello, F.: Identification of correlated network intrusion alerts. In: Third International Workshop on Cyberspace Safety and Security (CSS), pp. 15–20. IEEE, Milan (2011)
Mathew, S., Upadhyaya, S.: Attack scenario recognition through heterogeneous event stream analysis. In: IEEE Military Communications Conference (MILCOM), pp. 1–7. IEEE, Boston (2009)
Navarro-Lara, J., Deruyver, A., Parrend, P.: Morwilog: an ACO-based system for outlining multi-step attacks. In: IEEE Symposium Series on Computational Intelligence (SSCI). IEEE, Athens (2016)
Offroy, M., Duponchel, L.: Topological data analysis: a promising big data exploration tool in biology, analytical chemistry and physical chemistry. Anal. Chim. Acta 910, 1–11 (2016)
Pearson, P., Muellner, D., Singh, G.: TDAmapper: Analyze High-Dimensional Data Using Discrete Morse Theory (2015). https://github.com/paultpearson/TDAmapper/, (R package version 1.0)
Řehůřek, R., Sojka, P.: Software framework for topic modelling with large corpora. In: Proceedings of the LREC 2010 Workshop on New Challenges for NLP Frameworks, pp. 45–50. ELRA, Valletta, May 2010
Scarabeo, N., Fung, B.C., Khokhar, R.H.: Mining known attack patterns from security-related events. PeerJ Comput. Sci. 1, e25 (2015)
Schneider, B.: Attack trees. Dr. Dobb’s J. 24, 21–29 (1999)
Sood, A.K., Enbody, R.J.: _targeted cyberattacks: a superset of advanced persistent threats. IEEE Secur. Priv. 11(1), 54–61 (2013)
Wang, L., Ghorbani, A., Li, Y.: Automatic multi-step attack pattern discovering. Int. J. Netw. Secur. (IJNS) 10(2), 142–152 (2010)
Zali, Z., Hashemi, M.R., Saidi, H.: Real-time attack scenario detection via intrusion detection alert correlation. In: 9th International ISC Conference on Information Security and Cryptology (ISCISC), pp. 95–102. IEEE, Tabriz (2012)
Zhang, S., Caragea, D., Ou, X.: An empirical study on using the national vulnerability database to predict software vulnerabilities. In: Hameurlain, A., Liddle, S.W., Schewe, K.-D., Zhou, X. (eds.) DEXA 2011. LNCS, vol. 6860, pp. 217–231. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23088-2_15
Zhaowen, L., Shan, L., Yan, M.: Real-time intrusion alert correlation system based on prerequisites and consequence. In: 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM), pp. 1–5. IEEE, Chengdu City (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Navarro, J. et al. (2018). HuMa: A Multi-layer Framework for Threat Analysis in a Heterogeneous Log Environment. In: Imine, A., Fernandez, J., Marion, JY., Logrippo, L., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2017. Lecture Notes in Computer Science(), vol 10723. Springer, Cham. https://doi.org/10.1007/978-3-319-75650-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-75650-9_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75649-3
Online ISBN: 978-3-319-75650-9
eBook Packages: Computer ScienceComputer Science (R0)