A scalable SIEM correlation engine and its application to the Olympic Games IT infrastructure

The security event correlation scalability has become a major concern for security analysts and IT administrators when considering complex IT infrastructures that need to handle gargantuan amounts of events or wide correlation window spans. The current correlation capabilities of Security Information and Event Management (SIEM), based on a single node in centralized servers, have proved to be insufficient to process large event streams. This paper introduces a step forward in the current state of the art to address the aforementioned problems. The proposed model takes into account the two main aspects of this ?eld: distributed correlation and query parallelization. We present a case study of a multiple-step attack on the Olympic Games IT infrastructure to illustrate the applicability of our approach

Security Analysis of System Behaviour - From "Security by Design" to "Security at Runtime" -

The Internet today provides the environment for novel applications and processes which may evolve way beyond pre-planned scope and purpose. Security analysis is growing in complexity with the increase in functionality, connectivity, and dynamics of current electronic business processes. Technical processes within critical infrastructures also have to cope with these developments. To tackle the complexity of the security analysis, the application of models is becoming standard practice. However, model-based support for security analysis is not only needed in pre-operational phases but also during process execution, in order to provide situational security awareness at runtime. This cumulative thesis provides three major contributions to modelling methodology. Firstly, this thesis provides an approach for model-based analysis and verification of security and safety properties in order to support fault prevention and fault removal in system design or redesign. Furthermore, some construction principles for the design of well-behaved scalable systems are given. The second topic is the analysis of the exposition of vulnerabilities in the software components of networked systems to exploitation by internal or external threats. This kind of fault forecasting allows the security assessment of alternative system configurations and security policies. Validation and deployment of security policies that minimise the attack surface can now improve fault tolerance and mitigate the impact of successful attacks. Thirdly, the approach is extended to runtime applicability. An observing system monitors an event stream from the observed system with the aim to detect faults - deviations from the specified behaviour or security compliance violations - at runtime. Furthermore, knowledge about the expected behaviour given by an operational model is used to predict faults in the near future. Building on this, a holistic security management strategy is proposed. The architecture of the observing system is described and the applicability of model-based security analysis at runtime is demonstrated utilising processes from several industrial scenarios. The results of this cumulative thesis are provided by 19 selected peer-reviewed papers

Advancing security information and event management frameworks in managed enterprises using geolocation

Includes bibliographical referencesSecurity Information and Event Management (SIEM) technology supports security threat detection and response through real-time and historical analysis of security events from a range of data sources. Through the retrieval of mass feedback from many components and security systems within a computing environment, SIEMs are able to correlate and analyse events with a view to incident detection. The hypothesis of this study is that existing Security Information and Event Management techniques and solutions can be complemented by location-based information provided by feeder systems. In addition, and associated with the introduction of location information, it is hypothesised that privacy-enforcing procedures on geolocation data in SIEMs and meta- systems alike are necessary and enforceable. The method for the study was to augment a SIEM, established for the collection of events in an enterprise service management environment, with geo-location data. Through introducing the location dimension, it was possible to expand the correlation rules of the SIEM with location attributes and to see how this improved security confidence. An important co-consideration is the effect on privacy, where location information of an individual or system is propagated to a SIEM. With a theoretical consideration of the current privacy directives and regulations (specifically as promulgated in the European Union), privacy supporting techniques are introduced to diminish the accuracy of the location information - while still enabling enhanced security analysis. In the context of a European Union FP7 project relating to next generation SIEMs, the results of this work have been implemented based on systems, data, techniques and resilient features of the MASSIF project. In particular, AlienVault has been used as a platform for augmentation of a SIEM and an event set of several million events, collected over a three month period, have formed the basis for the implementation and experimentation. A "brute-force attack" misuse case scenario was selected to highlight the benefits of geolocation information as an enhancement to SIEM detection (and false-positive prevention). With respect to privacy, a privacy model is introduced for SIEM frameworks. This model utilises existing privacy legislation, that is most stringent in terms of privacy, as a basis. An analysis of the implementation and testing is conducted, focusing equally on data security and privacy, that is, assessing location-based information in enhancing SIEM capability in advanced security detection, and, determining if privacy-enforcing procedures on geolocation in SIEMs and other meta-systems are achievable and enforceable. Opportunities for geolocation enhancing various security techniques are considered, specifically for solving misuse cases identified as existing problems in enterprise environments. In summary, the research shows that additional security confidence and insight can be achieved through the augmentation of SIEM event information with geo-location information. Through the use of spatial cloaking it is also possible to incorporate location information without com- promising individual privacy. Overall the research reveals that there are significant benefits for SIEMs to make use of geo-location in their analysis calculations, and that this can be effectively conducted in ways which are acceptable to privacy considerations when considered against prevailing privacy legislation and guidelines

Diseño de una metodología para la detección de ataques a infraestructuras informáticas basada en la correlación de eventos.

Se diseñó una metodología que permita detectar ataques informáticos a infraestructuras tecnológicas basada en la correlación de eventos. En la presente investigación se analizó la dificultad e incompatibilidad que presentan los logs generados por dispositivos activos de red en la realización de análisis de seguridad. Se analizaron diferentes marcas y modelos de dispositivos, así como técnicas de normalización de eventos con el fin de brindar una respuesta efectiva frente a los incidentes que se suscitan casi en tiempo real. Para la simulación de incidentes informáticos se analizaron las metodologías OSSTMM e ISAFF y su posterior adaptación a la metodología propuesta, teniendo como campo de acción el entorno nacional ecuatoriano y cumpliendo requerimientos teóricos del Acuerdo Ministerial número 166 publicado por la Secretaría Nacional de la Administración Pública en el Registro Oficial número 88 del mes de septiembre del año 2013. Para el diseño de la metodología se utilizó la tecnología de correlación de eventos Security Information and Event Management (SIEM), la cúal permite comparar, integrar y visualizar incidentes de seguridad en tempo real. Se simularon ataques informáticos a nivel de aplicación y de red, estos son: Escaneo de Puertos, SQL Injection, Denegación de Servicio, Command Injection, Buffer Overflow y Fuerza Bruta, mediante el análisis de los resultados a través de la técnica de estadística inferencial ANOVA con un nivel de significancia de 0.05, calculado al 95% fue posible determinar que la metodología para la detección de ataques informáticos a infraestructuras tecnológicas basada en la correlación de eventos permitió incrementar en un 47,8% la cantidad de detección de ataques a infraestructuras informáticas. Se recomienda la implementación de la metodología en infraestructuras críticas.A methodology which allows to detect cyber-attacks to technological infrastructures was designed based on the correlation of events. The current research work analyzes the difficulty and incompatibility that the logs generated by net active devices evidence in the development of the security analysis. Different device brands and models were analyzed, as well as techniques of events normalization aiming to give effective response to the events happening almost in realtime. For the simulation of cyber incidents, the OSSTMM and ISAFF methodologies were analyzed and its further adaptation to the proposed methodology, having as scope the Ecuadorian environment and fulfilling the theoretical requirements of the Ministerial Agreement number 166 published by the National Secretariat of Public Administration in the Official Registry number 88 from September 2013. For the design of the methodology, the technology of correlation of events Security Information and Event Management (SIEM) was used, this allows to compare, integrate and visualize security incidents in real-time. Cyber-attacks at application and net level were simulated, they are: Scanning of Ports, SQL injection, Denial of Service, Command Injection, Buffer Overflow and Brute Force, through the analysis of results by means of the inferential statistical technique ANOVA with a level of significance of 0,05, calculated at 95%, it was possible to determine that the methodology for the methodology to detect cyber-attacks to technological infrastructures based on the correlation of events allowed to increase the detection of attacks to cyber infrastructures in 47,8%. The implementation of the methodology in critical infrastructures is recommended

Diverse Intrusion-tolerant Systems

Over the past 20 years, there have been indisputable advances on the development of Byzantine Fault-Tolerant (BFT) replicated systems. These systems keep operational safety as long as at most f out of n replicas fail simultaneously. Therefore, in order to maintain correctness it is assumed that replicas do not suffer from common mode failures, or in other words that replicas fail independently. In an adversarial setting, this requires that replicas do not include similar vulnerabilities, or otherwise a single exploit could be employed to compromise a significant part of the system. The thesis investigates how this assumption can be substantiated in practice by exploring diversity when managing the configurations of replicas. The thesis begins with an analysis of a large dataset of vulnerability information to get evidence that diversity can contribute to failure independence. In particular, we used the data from a vulnerability database to devise strategies for building groups of n replicas with different Operating Systems (OS). Our results demonstrate that it is possible to create dependable configurations of OSes, which do not share vulnerabilities over reasonable periods of time (i.e., a few years). Then, the thesis proposes a new design for a firewall-like service that protects and regulates the access to critical systems, and that could benefit from our diversity management approach. The solution provides fault and intrusion tolerance by implementing an architecture based on two filtering layers, enabling efficient removal of invalid messages at early stages in order to decrease the costs associated with BFT replication in the later stages. The thesis also presents a novel solution for managing diverse replicas. It collects and processes data from several data sources to continuously compute a risk metric. Once the risk increases, the solution replaces a potentially vulnerable replica by another one, trying to maximize the failure independence of the replicated service. Then, the replaced replica is put on quarantine and updated with the available patches, to be prepared for later re-use. We devised various experiments that show the dependability gains and performance impact of our prototype, including key benchmarks and three BFT applications (a key-value store, our firewall-like service, and a blockchain).Unidade de investigação LASIGE (UID/CEC/00408/2019) e o projeto PTDC/EEI-SCR/1741/2041 (Abyss

A Platform for analyzing log files using temporal logic approach: a test case with web server logs

Thesis submitted in partial fulfillment of the requirements for the Degree of Master of Science in Information Systems Security (MSc.ISS) at Strathmore UniversityWeb logs are a set of recorded events between clients and web servers. Information provided by these events is valuable to computer system administrators, digital forensic investigators and system security personnel during digital investigations. It is important for these entities to understand when certain system events were initiated and by whom. To achieve this, it is fundamental to gather related evidence to the crime from log files. These forensic procedures however pose a major challenge due to large sizes of the web log files, difficulty in understanding and correlating to attack patterns associated to digital crimes. The connections of events that are remotely positioned in the large log files require extensive computational manpower. This dissertation proposes the design, implementation and evaluation of a web log analysis system based on temporal logic and reconstruction. The case study will be on web server misuse. Temporal Logic operators represent system changes over time. The reconstruction of records in web server log files as streams will enable the implementation of temporal logic on the streaming data. The web server attack patterns established will be described by a special subset of temporal logic known as MSFOMTL (Many Sorted First Order Metric Temporal Logic). The attack patterns will be written in a special EPL (Event Processing Language) as queries and be parsed through Esper, a Complex Event Processing (CEP) engine. To ensure the proposed system increases the quality of log analysis process, log analysis will be performed based on a time window mechanism on sorted log files

Cyber Security of Critical Infrastructures

Critical infrastructures are vital assets for public safety, economic welfare, and the national security of countries. The vulnerabilities of critical infrastructures have increased with the widespread use of information technologies. As Critical National Infrastructures are becoming more vulnerable to cyber-attacks, their protection becomes a significant issue for organizations as well as nations. The risks to continued operations, from failing to upgrade aging infrastructure or not meeting mandated regulatory regimes, are considered highly significant, given the demonstrable impact of such circumstances. Due to the rapid increase of sophisticated cyber threats targeting critical infrastructures with significant destructive effects, the cybersecurity of critical infrastructures has become an agenda item for academics, practitioners, and policy makers. A holistic view which covers technical, policy, human, and behavioural aspects is essential to handle cyber security of critical infrastructures effectively. Moreover, the ability to attribute crimes to criminals is a vital element of avoiding impunity in cyberspace. In this book, both research and practical aspects of cyber security considerations in critical infrastructures are presented. Aligned with the interdisciplinary nature of cyber security, authors from academia, government, and industry have contributed 13 chapters. The issues that are discussed and analysed include cybersecurity training, maturity assessment frameworks, malware analysis techniques, ransomware attacks, security solutions for industrial control systems, and privacy preservation methods

Técnicas de detección de ataques en un sistema SIEM (Security Information and Event Management)

Technology advance has achieved an almost entirely globalized world. New inventions are achieved at a speed that has revolutionized people’s pace of life. Information has become a very helpful and of great value resource. This has made the protection of information a demanded work. Globalization and the Internet have managed to maintain in contact to people all around the world. Due to this progress cyber-attacks to networks have become a main objective for hackers that attempt to gain people credentials or not allowing the availability of network resources. System Information and Event Management (SIEM) have become the main defense against those attacks. How to detect attacks and prepare procedures and algorithms to protect information is the objective of this work that develops solutions when understanding theory and systems behind every cyber-attack.El avance de la tecnología ha logrado un mundo casi enteramente globalizado. La velocidad con la que se consigue nuevos inventos ya sean digitales o no, ha revolucionado el ritmo de vida en la mayoría de las personas. La información se ha vuelto un recurso muy utilizado y de mucho valor, por lo que proteger dicha información se ha vuelto un trabajo muy demandado. La globalización y la interconectividad de redes (el Internet) han logrado mantener en contacto a seres humanos muy alejados unos de otros. Debido a estos avances, los ataques informáticos a las redes se han vuelto objetivos por parte de atacantes que intentan conseguir información confidencial o no permitir la disponibilidad de recursos en la red. Los sistemas de información y manejo de eventos (SIEM por sus siglas en inglés) se han vuelto la defensa a estos ataques. Como detectar ataques y preparar procedimientos y algoritmos para proteger información es el objetivo de este trabajo que desarrolla soluciones a base de entender los sistemas y la teoría detrás de cada ataque informático

Building the Future Internet through FIRE

The Internet as we know it today is the result of a continuous activity for improving network communications, end user services, computational processes and also information technology infrastructures. The Internet has become a critical infrastructure for the human-being by offering complex networking services and end-user applications that all together have transformed all aspects, mainly economical, of our lives. Recently, with the advent of new paradigms and the progress in wireless technology, sensor networks and information systems and also the inexorable shift towards everything connected paradigm, first as known as the Internet of Things and lately envisioning into the Internet of Everything, a data-driven society has been created. In a data-driven society, productivity, knowledge, and experience are dependent on increasingly open, dynamic, interdependent and complex Internet services. The challenge for the Internet of the Future design is to build robust enabling technologies, implement and deploy adaptive systems, to create business opportunities considering increasing uncertainties and emergent systemic behaviors where humans and machines seamlessly cooperate

Proceedings of the 11th International Conference on Kinanthropology

The 11th International Conference on Kinantropology was held on the Nov 29 – Dec 1, 2017 in Brno and was organized by the Faculty of Sports Studies, Masaryk University and the Faculty of Kinesiology, University of Zagreb. This year was divided into several themes: sports medicine, sport and social science, sport training, healthy lifestyle and healthy ageing, sports management, analysis of human movement. Part of the conference was also a symposium Atletika and Ortoreha that gathered specialists in physiotherapy