intelligent logging server
play

Intelligent logging server SIEM for the poor Jan Vykopal , Martin Ju - PowerPoint PPT Presentation

Jun 07, 2023 •444 likes •678 views

Introduction Use case: cyber attack detection Intelligent logging server SIEM for the poor Jan Vykopal , Martin Ju ren, Daniel Kou ril Tom Kubina, Michal Prochzka, Martin Draar Masaryk University, Brno, Czech Republic CYTER

  1. Introduction Use case: cyber attack detection Intelligent logging server “SIEM for the poor” Jan Vykopal , Martin Juˇ ren, Daniel Kouˇ ril Tomáš Kubina, Michal Procházka, Martin Drašar Masaryk University, Brno, Czech Republic CYTER 2010 Prague, June 23–24, 2010

  2. Introduction Use case: cyber attack detection Introduction Use case: cyber attack detection

  3. Introduction Use case: cyber attack detection Intelligent logging server (ILS) useful tool for intrusion detection and forensic analysis that:

  4. Introduction Use case: cyber attack detection Intelligent logging server (ILS) • Enables earlier and more accurately detection of cyber attacks. • Integrates outputs from separate ICT monitoring systems. • Based on free (and open-source) components. • Reduces total count of relevant messages and eventual false positives. • Supports network hierarchy – suitable for large networks. • Detects also system misconfiguration.

  5. Introduction Use case: cyber attack detection ILS as a central monitoring point I • Supervises network infrastructure: servers, IDS, honeypots . . . • Centrally stores log files destroyed by attackers at compromised hosts (allows forensic analysis). • Can reveal malicious activities invisible at host level (e. g., distributed attacks). • Uses additional data sources such as public blacklists. • Logs are sent via secure channel to ensure message integrity and authentication.

  6. Introduction Use case: cyber attack detection ILS as a central monitoring point II

  7. Introduction Use case: cyber attack detection ILS development as a project I • Small project funded by Development Fund of CESNET and Masaryk University. • Our prototype is aimed at the Linux operating system family. • Should be easy to deploy in real-life network infrastructure . • Project period: 09/2009–11/2010. • Output available under BSD license: software package and deployment guide incl. probes configuration.

  8. Introduction Use case: cyber attack detection ILS development as a project II • Done: • project specification: ”core” protocol: Syslog, correlation: Simple Event Correlator • central log storage deployment (Linux server with RAID) • honeypot deployment (honeyd, VMware + Sebek + database of attempted passwords) • deployment of public blacklist correlation engine • integration of flow-based IDS • attack detection modules • In progress: • presentation layer • deployment of the whole system in the Masaryk University network

  9. Introduction Use case: cyber attack detection Use case: Unauthorized access to computer system • network reconnaissance by attacker • online distributed dictionary attack • successful breach • destruction of evidence • . . .

  10. Introduction Use case: cyber attack detection Incident handling without ILS Somebody or some devices reports several alerts = cyber attacks .

  11. Introduction Use case: cyber attack detection Incident handling without ILS Somebody or some devices reports several alerts = cyber attacks . • (distributed) port scanning captured by firewall/IDS

  12. Introduction Use case: cyber attack detection Incident handling without ILS Somebody or some devices reports several alerts = cyber attacks . • (distributed) port scanning captured by firewall/IDS • (distributed) dictionary attack (not) detected at host

  13. Introduction Use case: cyber attack detection Incident handling without ILS Somebody or some devices reports several alerts = cyber attacks . • (distributed) port scanning captured by firewall/IDS • (distributed) dictionary attack (not) detected at host • breach is locally logged as well as many other events

  14. Introduction Use case: cyber attack detection Incident handling without ILS Somebody or some devices reports several alerts = cyber attacks . • (distributed) port scanning captured by firewall/IDS • (distributed) dictionary attack (not) detected at host • breach is locally logged as well as many other events • attacker stealthily destroys local log files

  15. Introduction Use case: cyber attack detection Incident handling without ILS Somebody or some devices reports several alerts = cyber attacks . • (distributed) port scanning captured by firewall/IDS • (distributed) dictionary attack (not) detected at host • breach is locally logged as well as many other events • attacker stealthily destroys local log files We do not know any connection between these events.

  16. Introduction Use case: cyber attack detection Incident handling with ILS ILS reports only one alert = cyber attack .

  17. Introduction Use case: cyber attack detection Incident handling with ILS ILS reports only one alert = cyber attack . • port scanning is reported to ILS

  18. Introduction Use case: cyber attack detection Incident handling with ILS ILS reports only one alert = cyber attack . • port scanning is reported to ILS • ILS creates context

  19. Introduction Use case: cyber attack detection Incident handling with ILS ILS reports only one alert = cyber attack . • port scanning is reported to ILS • ILS creates context • assigns other reported events to this context

  20. Introduction Use case: cyber attack detection Incident handling with ILS ILS reports only one alert = cyber attack . • port scanning is reported to ILS • ILS creates context • assigns other reported events to this context • destroyed logs can be accessed later in ILS data storage

  21. Introduction Use case: cyber attack detection Incident handling with ILS ILS reports only one alert = cyber attack . • port scanning is reported to ILS • ILS creates context • assigns other reported events to this context • destroyed logs can be accessed later in ILS data storage Events are correlated, one incident is reported and all evidence is kept.

  22. Introduction Use case: cyber attack detection Summary: incident handling without ILS • Events are correlated • Several alerts relevant to • Only one dashboard one attack • Utilization of public • Several different systems blacklists • Local logs prone to • Retaining all logs for destruction forensic analysis

  23. Introduction Use case: cyber attack detection Questions&Answers Intelligent logging server Jan Vykopal et al. vykopal@ics.muni.cz

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Page 1 Rev. Oct. 2, 2019 Scanned slides can be accessed by logging onto the CHOP server from any

Page 1 Rev. Oct. 2, 2019 Scanned slides can be accessed by logging onto the CHOP server from any

Page 1 Rev. Oct. 2, 2019 Scanned slides can be accessed by logging onto the CHOP server from any computer via the website here: http://pathcorescans.research.chop.edu Save this address in your favorites for easy access. If you forget the

551 views • 4 slides
Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business, one of the things that you have to do is to learn about heavy equipment. Robert VanNatta, Logging History of Columbia County Database Management

534 views • 26 slides
Debugging & Logging Java Logging Java has built-in support for logging Logs contain

Debugging & Logging Java Logging Java has built-in support for logging Logs contain

Debugging & Logging Java Logging Java has built-in support for logging Logs contain messages that provide information to Software developers (e.g., debugging) System administrators Customer support agents Programs send

254 views • 10 slides
TomskGAZPROMgeofjzika Company Profjle { Logging while drilling { Production logging for reservoir

TomskGAZPROMgeofjzika Company Profjle { Logging while drilling { Production logging for reservoir

TomskGAZPROMgeofjzika Geophysical Services We provide full range of well logging and mud logging op- erations, cement quality control, MWD and well engineering services throughout Western and Eastern Siberia. Over 15 years of top quality

554 views • 31 slides
LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

Outline Launching of t he LHC Logging proj ect Mandat e, scope and obj ect ives LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic f unct ionalit ies Filt ering of dat a I nt erf acing t o ot

667 views • 3 slides
DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING AND RECOVERY PROTOCOLS 2 TODAYS AGENDA Logging Schemes Crash Course on ARIES protocol Physical Logging Logical Logging 3 LOGGING &

1.64k views • 125 slides
ALMA Common Software Basic Track Logging and Error Systems Logging system conceptual overview

ALMA Common Software Basic Track Logging and Error Systems Logging system conceptual overview

ALMA Common Software Basic Track Logging and Error Systems Logging system conceptual overview Logging system The logging system provide status and diagnostic information historical archive filtering capabilities by

305 views • 11 slides
The Ocano Project The Ocano Project Intelligent eUtilities Infrastructure Intelligent

The Ocano Project The Ocano Project Intelligent eUtilities Infrastructure Intelligent

Oceano The Ocano Project The Ocano Project Intelligent eUtilities Infrastructure Intelligent eUtilities Infrastructure A Self-Managed Server Farm A Self-Managed Server Farm Germn Goldszmidt Germn Goldszmidt (gsg@ us.ibm.com) (gsg@

335 views • 32 slides
THE LOGGING LOOPHOLE How the Logging Industrys Unregulated Carbon Emissions Undermine

THE LOGGING LOOPHOLE How the Logging Industrys Unregulated Carbon Emissions Undermine

THE LOGGING LOOPHOLE How the Logging Industrys Unregulated Carbon Emissions Undermine Canadas Climate Goals environmental defence Dale Marshall Jennifer Skene Graham Saul Photo Credit: River Jordan for NRDC The Boreal Forest CARBON:

508 views • 23 slides
NATx4 Port Allocation and Logging [Cheng] draft-cheng-behave-nat44-pre-allocated-ports-01 [Tsou]

NATx4 Port Allocation and Logging [Cheng] draft-cheng-behave-nat44-pre-allocated-ports-01 [Tsou]

NATx4 Port Allocation and Logging [Cheng] draft-cheng-behave-nat44-pre-allocated-ports-01 [Tsou] draft-tsou-behave-natx4-log-reduction-02 [Durand] draft-durand-server-logging-recommendations-00 Note Nokia-Siemens IPR declaration on [Tsou]

234 views • 11 slides
Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server

E LIOM Tierless Web programming from the ground up Gabriel R ADANNE Jrme V OUILLON Vincent B ALAT Vasilis P APAVASILEIOU Evolution of the Web 1 Client Server 2 2 / 22 1 Client Server 2 2 / 22 1 Client Server DOM 2 2 / 22 1

778 views • 42 slides
Logging with ASP.NET Core Damien Bowden Microsoft MVP https://damienbod.com @damien_bod Why

Logging with ASP.NET Core Damien Bowden Microsoft MVP https://damienbod.com @damien_bod Why

Logging with ASP.NET Core Damien Bowden Microsoft MVP https://damienbod.com @damien_bod Why Logging? explain logging in ASP.NET Core & .NET Core how to add third party loggers What Microsoft provides Abstraction layer for logging in

573 views • 17 slides
RPC / failure 1 last time redo logging (fjnish) (weird?) choice not to use redo logging for

RPC / failure 1 last time redo logging (fjnish) (weird?) choice not to use redo logging for

RPC / failure 1 last time redo logging (fjnish) (weird?) choice not to use redo logging for everything reasons to use distributed systems mailbox and connnection models names versus addresses domain name system distributed, hierarchical

873 views • 75 slides
T/Key: Second-Factor Authentication Without Server Secrets Dima Kogan 1 , Nathan Manohar 2 , Dan

T/Key: Second-Factor Authentication Without Server Secrets Dima Kogan 1 , Nathan Manohar 2 , Dan

T/Key: Second-Factor Authentication Without Server Secrets Dima Kogan 1 , Nathan Manohar 2 , Dan Boneh 1 1 Stanford, 2 UCLA Passwords have multiple security issues eavesdropping/key logging phishing password reuse Two-factor authentication

779 views • 31 slides
Replicated Client-Server Execution to Overcome Unpredictability in Mobile Environment Bing You

Replicated Client-Server Execution to Overcome Unpredictability in Mobile Environment Bing You

Replicated Client-Server Execution to Overcome Unpredictability in Mobile Environment Bing You and Hao Chu Intelligent Space Lab National Taiwan University Outline Problem Related Work Replicated Client-Server Model

546 views • 17 slides
IT350: Web & Internet Programming Set 16: Sessions Logging In Correctly 1 Logging In

IT350: Web & Internet Programming Set 16: Sessions Logging In Correctly 1 Logging In

IT350: Web & Internet Programming Set 16: Sessions Logging In Correctly 1 Logging In Correctly Unique session IDs identify your client No other client who has connected to the website should have the same ID With proper

627 views • 4 slides
a Security ECONomics service platform for smart security investments and cyber insurance pricing

a Security ECONomics service platform for smart security investments and cyber insurance pricing

a Security ECONomics service platform for smart security investments and cyber insurance pricing in the beyonD 2020 era SECONDO: A Platform for Cybersecurity Investments and Cyber Insurance Decisions The 17th International Conference on Trust,

273 views • 13 slides
Epistemic Planning for Implicit Coordination Thomas Bolander , DTU Compute, Technical University of

Epistemic Planning for Implicit Coordination Thomas Bolander , DTU Compute, Technical University of

Epistemic Planning for Implicit Coordination Thomas Bolander , DTU Compute, Technical University of Denmark Joint work with Thorsten Engesser, Robert Mattm uller and Bernhard Nebel from Uni Freiburg Thomas Bolander, Epistemic Planning, M4M, 9

275 views • 24 slides
Challenges in Automating Style Checking for Legislative Texts Stefan Hfler and Kyoko Sugisaki

Challenges in Automating Style Checking for Legislative Texts Stefan Hfler and Kyoko Sugisaki

Institut fr Computerlinguistik Challenges in Automating Style Checking for Legislative Texts Stefan Hfler and Kyoko Sugisaki Seite 1 Second Workshop on Computational Linguistics and Writing. Avignon, April 23, 2012. Motivation Current

497 views • 13 slides
From behind the keyboard to behind bars: Cybercrime arrests and prosecu6ons in the UK Dr Alice

From behind the keyboard to behind bars: Cybercrime arrests and prosecu6ons in the UK Dr Alice

From behind the keyboard to behind bars: Cybercrime arrests and prosecu6ons in the UK Dr Alice Hutchings Computer Laboratory, University of Cambridge Presenta>on for the Inaugural Cybercrime Conference, 14 July 2016 Cambridge Computer

535 views • 32 slides
S U N D A Y C Y B E R S E S S I O N better boards conference 2018 Robens Report Initiator

S U N D A Y C Y B E R S E S S I O N better boards conference 2018 Robens Report Initiator

S U N D A Y C Y B E R S E S S I O N better boards conference 2018 Robens Report Initiator of OHS societal change Lord Cullens Review 103 recommendations to improve OHS Lord Cullens 25 year review The top 10 recommendations W

391 views • 10 slides
Evelyn Chye A for Apple illustration Cyber Wellness Values B alance E mbracing the

Evelyn Chye A for Apple illustration Cyber Wellness Values B alance E mbracing the

Cyberwellness for Parents of Pre-Schoolers Presented by: Evelyn Chye A for Apple illustration Cyber Wellness Values B alance E mbracing the Net & Inspire others A stuteness R espect & Responsibility

198 views • 6 slides
Security Data Science Joshua Neil Security Analytics Leader Advanced Security Center EY

Security Data Science Joshua Neil Security Analytics Leader Advanced Security Center EY

Security Data Science Joshua Neil Security Analytics Leader Advanced Security Center EY Powered by Agenda A Background, LANL and the EY/LANL Alliance Traditional Security and Operational Security Data B Science Advanced Analytics:

558 views • 24 slides
Cylinder Map-Making Results Shifan Zuo NAOC July 25, 2019 Observational Data We use data

Cylinder Map-Making Results Shifan Zuo NAOC July 25, 2019 Observational Data We use data

Cylinder Map-Making Results Shifan Zuo NAOC July 25, 2019 Observational Data We use data observed in 2018/03/22 2018/03/28. Use Cygnus A as calibrator with flux given in Perley and Butler, 2017. Cyg A Tau A Cas A 2 / 3 Map-Making Map

386 views • 3 slides

More recommend