Amir Azodi

A New Approach to Building a Multi-tier Direct Access Knowledgebase for IDS/SIEM Systems

Looking at current IDS and SIEM systems, we observe heavy processing power dedicated solely to answering a simple question, What is the format of the log line that the IDS (or SIEM) system should process next? Due to the apparent difficulties of uniquely identifying a log line at run-time, most systems today do little or no normalisation of the events they receive. Indeed these systems often rely on popular search engine applications for processing and analysing the event information they receive, which results in slower and far less accurate event correlations. In this process, a large list of tokenisers is usually created in order to find an answer to the above posted question. The tokenisers are run against the log lines, until a match is found. The appropriate log line can then be passed on to the correct extraction module for further processing. This process is currently the standard procedure of most IDS and SIEM systems. To address this problem and to optimise and improve the said process, this paper describes a method for detecting the exact type and format of a read log line in the first place. The method presented performs in an efficient manner, while it is less resource hungry. The proposed detection system is described and implemented, its pros and cons are analysed and weighed against methods currently implemented by popular IDS and SIEM systems for solving this task.

Pushing the Limits in Event Normalisation to Improve Attack Detection in IDS/SIEM Systems

The current state of affairs regarding the way events are logged by IT systems is the source of many problems for the developers of Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) systems. These problems stand in the way of the development of more accurate security solutions that draw their results from the data included within the logs they process. This is mainly caused by a lack of standards that can encapsulate all events in a coherent way. As a result, correlating between logs produced by different systems that use different log formats has been difficult and infeasible in many cases. In order to solve the challenges faced by Correlation Based Intrusion Detection Systems, we provide a platform for normalising events1 into a unified super event loosely based on the Common Event Expression standard (CEE) developed by the Mitre corporation. We show how our solution is able to normalise seemingly unrelated events into a unified format. Additionally, we demonstrate queries that can detect attacks on collections of normalised logs from different sources.

Hierarchical object log format for normalisation of security events

The differences in log file formats employed in a variety of services and applications remain to be a problem for security analysts and developers of intrusion detection systems. The proposed solution, i.e. the usage of common log formats, has a limited utilization within existing solutions for security management. In our paper, we reveal the reasons for this limitation. We show disadvantages of existing common log formats for normalisation of security events. To deal with it we have created a new log format that fits for intrusion detection purposes and can be extended easily. Taking previous work into account, we would like to propose a new format as an extension to existing common log formats, rather than a standalone specification.

Normalizing Security Events with a Hierarchical Knowledge Base

An important technique for attack detection in complex company networks is the analysis of log data from various network components. As networks are growing, the number of produced log events increases dramatically, sometimes even to multiple billion events per day. The analysis of such big data highly relies on a full normalization of the log data in realtime. Until now, the important issue of full normalization of a large number of log events is only insufficiently handled by many software solutions and not well covered in existing research work. In this paper, we propose and evaluate multiple approaches for handling the normalization of a large number of typical logs better and more efficient. The main idea is to organize the normalization in multiple levels by using a hierarchical knowledge base KB of normalization rules. In the end, we achieve a performance gain of about 1000x with our presented approaches, in comparison to a naive approach typically used in existing normalization solutions. Considering this improvement, big log data can now be handled much faster and can be used to find and mitigate attacks in realtime.

Security Event Correlation Supported by Multi-Core Architecture

A huge amount of information about real-time events are being generated in every second in a running IT-Infrastructure and recorded by the system logs, application logs, as well as the output from the deployed security or management methods, e.g., IDS alerts, firewall logs, scanning reports, etc. To rapidly gather, process, correlate, and analyze the massive event information is a challenging task. High performance security analytics is proposed to address this challenge by which the real-time event information can be normalized, centralized, and correlated to help identify the current running state of the target environment. As an example of next generation Security Information and Event Management (SIEM) platform, Security Analytics Lab (SAL) has been designed and implemented based on the newly emerged In-Memory data management technique, which makes it possible to efficiently organize, access, and process different types of event information through a consistent central storage and interface. In this paper, the multi-core architecture is introduced on the event correlation module of SAL platform by which the correlation tasks can be executed in parallel by different computing resources. The k-means algorithm is implemented as an example of possible event clustering and correlation algorithms. Several experiments are conducted and analyzed to show that the performance of analytics can be significantly improved by applying multi-core architecture in the event correlation procedure.

A Modular Framework for Multi-Factor Authentication and Key Exchange

Multi-Factor Authentication (MFA), often coupled with Key Exchange (KE), offers very strong protection for secure communication and has been recommended by many major governmental and industrial bodies for use in highly sensitive applications. Over the past few years many companies started to offer various MFA services to their users and this trend is ongoing.

Leveraging Event Structure for Adaptive Machine Learning on Big Data Landscapes

Modern machine learning techniques have been applied to many aspects of network analytics in order to discover patterns that can clarify or better demonstrate the behavior of users and systems within a given network. Often the information to be processed has to be converted to a different type in order for machine learning algorithms to be able to process them. To accurately process the information generated by systems within a network, the true intention and meaning behind the information must be observed. In this paper we propose different approaches for mapping network information such as IP addresses to integer values that attempts to keep the relation present in the original format of the information intact. With one exception, all of the proposed mappings result in at most 64 bit long outputs in order to allow atomic operations using CPUs with 64 bit registers. The mapping output size is restricted in the interest of performance. Additionally we demonstrate the benefits of the new mappings for one specific machine learning algorithm k-means and compare the algorithms results for datasets with and without the proposed transformations.

Towards Better Attack Path Visualizations Based on Deep Normalization of Host/Network IDS Alerts

Mitigation techniques employed by attackers has meant that traditional Network Intrusion Detection Systems (NIDS) are no longer able to reliably protect a network in the face of ever more sophisticated attacks. Security Information and Event Management (SIEM) systems monitor network systems by analyzing the logs they produce. In this paper, we propose a method of visualizing attacks by aggregating, normalizing and analyzing alerts raised by SIEM-based IDS (SIDS) systems as well as NIDS systems in real-time. We present the results of our proposed visualization technique when applied to different attack scenarios. In many cases, our approach allows for the path an attacker takes during their attack to be visualized.

Beat your mom at solitaire — A review of reverse engineering techniques and countermeasures

As computer software systems grow ever more sophisticated, so do the mechanisms used in compromising them. Some of the most advanced cyber attacks in recent years would have required considerable preparation and research on the specific software applications and the hardware they targeted. In this paper we focus on native applications and evaluate different reverse engineering techniques with a focus on memory manipulation, used to compromise their security. Additionally we discuss different protection mechanism and their practicalities. The techniques discussed are executed against a well known application (i.e. the Microsoft Windows Solitaire game) and the results are presented.

Event Driven Network Topology Discovery and Inventory Listing Using REAMS

Network Topology Discovery and Inventory Listing are two of the primary features of modern network monitoring systems (NMS). Current NMSs rely heavily on active scanning techniques for discovering and mapping network information. Although this approach works, it introduces some major drawbacks such as the performance impact it can exact, specially in larger network environments. As a consequence, scans are often run less frequently which can result in stale information being presented and used by the network monitoring system. Alternatively, some NMSs rely on their agents being deployed on the hosts they monitor. In this article, we present a new approach to Network Topology Discovery and Network Inventory Listing using only passive monitoring and scanning techniques. The proposed techniques rely solely on the event logs produced by the hosts and network devices present within a network. Finally, we discuss some of the advantages and disadvantages of our approach.