3 research outputs found
zeek-osquery: Host-Network Correlation for Advanced Monitoring and Intrusion Detection
Intrusion Detection Systems (IDSs) can analyze network traffic for signs of
attacks and intrusions. However, encrypted communication limits their
visibility and sophisticated attackers additionally try to evade their
detection. To overcome these limitations, we extend the scope of Network IDSs
(NIDSs) with additional data from the hosts. For that, we propose the
integrated open-source zeek-osquery platform that combines the Zeek IDS with
the osquery host monitor. Our platform can collect, process, and correlate host
and network data at large scale, e.g., to attribute network flows to processes
and users. The platform can be flexibly extended with own detection scripts
using already correlated, but also additional and dynamically retrieved host
data. A distributed deployment enables it to scale with an arbitrary number of
osquery hosts. Our evaluation results indicate that a single Zeek instance can
manage more than 870 osquery hosts and can attribute more than 96% of TCP
connections to host-side applications and users in real-time.Comment: Accepted for publication at ICT Systems Security and Privacy
Protection (IFIP) SEC 202
Ataques Zero-day: Despliegue y evolución
In cybersecurity and computer science, the term “zero-day” is commonly related to troubles, threats, and hazards due to the lack of knowledge, experience, or misunderstanding. A zero-day attack is generally considered a new vulnerability with no defense; thus, the possible attack will have a highrisk probability, and a critical impact. Unfortunately, only a few surveys on the topic are available that would help understand these threats, which are not enough to construct new solutions to detect, prevent, and mitigate them. In this paper, it is conducted a review of the zero-day attack, how to understand its real impact, and a few different accessible solutions nowadays. This study introduces a useful reference that provides researchers with knowledge to understand the current problem concerning zero- days attacks; hence they could develop solutions for facing them.En la ciberseguridad y la informática, el término "Zero-day" se relaciona comúnmente con problemas, amenazas y peligros, esto debido a la falta de conocimiento, experiencia o malentendidos relacionados. Un ataque de Zero-day se considera generalmente una nueva vulnerabilidad sin defensa; por lo tanto, el ataque consecuente tendrá una alta probabilidad de riesgo, y un impacto crítico. Lamentablemente, sólo unos pocos estudios están disponibles para comprender estas amenazas, y no bastan para construir nuevas soluciones para detectar, prevenir y mitigar estas dificultades. En este artículo, se presenta una revisión del ataque Zero-day, enfocándose en comprender su impacto real y algunas soluciones accesibles hoy en día. Este estudio presenta una referencia útil que proporciona a los investigadores conocimientos para comprender el problema actual relacionado con los ataques Zero-day. Este puede ser un punto de partida para desarrollar soluciones para combatir este problema