OwlSight: Platform for Real-time Detection and Visualization of Cyber Threats

ecurity reports published by leading companies reveal the growing number of cyber attacks. Thefts of money or sensitive data, harm the reputation of organizations and sabotage of national critical infrastructures are some of the motivations behind these attacks. The sophistication of these attacks is very high, creating major challenges to the detection and mitigation in useful time. In this context the development of systems to provide situational awareness, to detect cyber threats and alert them in real-time are very important to mitigate the impact of the attacks. In this paper we present a cyber threat platform targeted for real-time detection and visualization of cyber threats. The platform is composed by several building blocks and it is able to collect huge amounts of data from multiple sources, prepare and analyze the data and present the findings through a set of insightful dashboards. A version of the platform is already available and used in a real-context. It collects more than 107 million of malware events daily from different data sources and provides visualization and alerts in real-time for more than 2.7 million of infected unique IPs spread around the world.info:eu-repo/semantics/publishedVersio

Sound and Complete Runtime Security Monitor for Application Software

Conventional approaches for ensuring the security of application software at run-time, through monitoring, either produce (high rates of) false alarms (e.g. intrusion detection systems) or limit application performance (e.g. run-time verification). We present a runtime security monitor that detects both known and unknown cyber attacks by checking that the run-time behavior of the application is consistent with the expected behavior modeled in application specification. This is crucial because, even if the implementation is consistent with its specification, the application may still be vulnerable due to flaws in the supporting infrastructure (e.g. the language runtime system, libraries and operating system). This runtime security monitor is sound and complete, eliminating false alarms, as well as efficient, so that it does not limit runtime application performance and so that it supports real-time systems. The security monitor takes as input the application specification and the application implementation, which may be expressed in different languages. The specification language of the application software is formalized based on monadic second order logic and event calculus interpreted over algebraic data structures. This language allows us to express behavior of an application at any desired (and practical) level of abstraction as well as with high degree of modularity. The security monitor detects every attack by systematically comparing the application execution and specification behaviors at runtime, even though they operate at two different levels of abstraction. We define the denotational semantics of the specification language and prove that the monitor is sound and complete. Furthermore, the monitor is efficient because of the modular application specification at appropriate level(s) of abstraction

A spatio-temporal entropy-based approach for the analysis of cyber attacks (demo paper)

Computer networks are ubiquitous systems growing exponentially with a predicted 50 billion devices connected by 2050. This dramatically increases the potential attack surface of Internet networks. A key issue in cyber defense is to detect, categorize and identify these attacks, the way they are propagated and their potential impacts on the systems affected. The research presented in this paper models cyber attacks at large by considering the Internet as a complex system in which attacks are propagated over a network. We model an attack as a path from a source to a target, and where each attack is categorized according to its intention. We setup an experimental testbed with the concept of honeypot that evaluates the spatiotemporal distribution of these Internet attacks. The preliminary results show a series of patterns in space and time that illustrate the potential of the approach, and how cyber attacks can be categorized according to the concept and measure of entropy