We build up a user centric ML system for the cyber security operation center in endeavor environment. We examine the regular data sources in SOC, their work process, and how to leverage and procedure these data sets to construct an effective ML system. The work is besieged towards two groups of readers. The primary group is data scientists or ML researchers who do not have cyber security domain awareness but want to build ML systems for safety operations center. The second group of people is those cyber security practitioners who have deep information and expertise in cyber security, but do not have ML knowledge and wish to construct one by them. All through the work, we use the system we built in the Symantec SOC construction setting as an example to display the full steps from data collection, label creation, feature engineering, ML algorithm selection, and model show evaluations, to risk score making

MADHURI, R. SATYA

RAMANA, K V V

English

International Journal of Innovative Technology and Research (IJITR)

R Satya Madhuri* et al.  (IJITR) INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGY AND RESEARCH Volume No.9, Issue No.5, August – September 2021, 9980 - 9982.  2320 –5547 @ 2013-2021 http://www.ijitr.com All rights Reserved. Page | 9980 A Novel Data Engineering Process Which Integrates Alert Information, Security Logs, And SOC Analysts R. SATYA MADHURI Dept. of CSE, PYDAH College of Engineering, Patavala, Kakinada, E.G, AP, India K V V RAMANA Dept. of CSE, PYDAH College of Engineering, Patavala, Kakinada, E.G, AP, India Abstract: We build up a user centric ML system for the cyber security operation center in endeavor environment. We examine the regular data sources in SOC, their work process, and how to leverage and procedure these data sets to construct an effective ML system. The work is besieged towards two groups of readers. The primary group is data scientists or ML researchers who do not have cyber security domain awareness but want to build ML systems for safety operations center. The second group of people is those cyber security practitioners who have deep information and expertise in cyber security, but do not have ML knowledge and wish to construct one by them. All through the work, we use the system we built in the Symantec SOC construction setting as an example to display the full steps from data collection, label creation, feature engineering, ML algorithm selection, and model show evaluations, to risk score making. Keywords: Security Operation Center (SOC); DNS (Domain Name System); IDS/IPS (Intrusion Detection/Prevention System); Machine Learning (ML); DLP (Data Loss Protection); DHCP (Dynamic Host Configuration Protocol); Data Mining (DM); Deep Neural Network (DNN); 1] INTRODUCTION: Cyber protection incidents will cause huge monetary and notoriety impacts on big business. To identify malignant exercises, the SIEM (Security Information and Event Management) framework is inherent organizations or government. The framework relates occasion logs from endpoint, firewalls, IDS/IPS, DLP, DNS, DHCP, Windows/Unix security occasions, VPN logs and so on The security occasions can be gathered into various classes [1]. The logs have terabytes of information every day.  From the security occasion logs, SOC (Security Operation Center) group grows supposed use cases with not really settled seriousness dependent on the analysts¶ encounters. They are regularly rule based relating at least one pointers from various logs. These standards can be network/have based or time/recurrence based.  In the event that any pre-characterized use case is set off, SIEM framework will produce an alarm progressively. SOC examiners will then, at that point explore the alarms to choose whether the client identified with the alarm is unsafe (a genuine positive) or not (bogus positive).  In the event that they observe the alarms to be dubious from the investigation, SOC experts will make OTRS (Open Source Ticket Request System) tickets. After introductory examination, certain OTRS tickets will be raised to level 2 examination framework (e.g., Co3 System) as serious security occurrences for additional examination and remediation by Incident Response Team. 2] LITERATURE SURVEY: 2.1] A. L. Buczak and E. Guven et al This overview paper portrays an engaged writing study of (ML) and (DM) techniques for digital investigation on the side of interruption recognition. Short instructional exercise portrayals of every ML/DM strategy are given. In light of the quantity of references or the significance of an arising strategy, papers addressing every technique were distinguished, perused, and summed up. Since information are so significant in ML/DM draws near, some notable digital informational indexes utilized in ML/DM are depicted. The intricacy of ML/DM calculations is tended to, conversation of difficulties for utilizing ML/DM for network protection is introduced, and a few suggestions on when to utilize a given technique are given. 2.2] M. J. Kang and J. W. Kang et al We propose a intrusion detection identification strategy utilizing a (DNN). In the proposed procedure, in-vehicle network packets traded between electronic control units (ECU) are prepared to remove low-dimensional provisions and utilized for segregating typical and hacking bundles. The components act in high effective and low intricacy since they are produced straightforwardly from a bitstream over the organization. The proposed strategy screens a trading packet in the vehicular organization while the element is prepared disconnected, and gives a constant reaction to the assault with an altogether high identification proportion in our tests. R Satya Madhuri* et al.  (IJITR) INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGY AND RESEARCH Volume No.9, Issue No.5, August – September 2021, 9980 - 9982.  2320 –5547 @ 2013-2021 http://www.ijitr.com All rights Reserved. Page | 9981 3] PROBLEM DEFINTION: Most ways to deal with security in the undertaking have zeroed in on ensuring the organization framework with no or little consideration regarding end clients. Therefore, customary security works and related gadgets, like firewalls and interruption recognition and counteraction gadgets, manage network level insurance. Albeit still piece of the general security story, such a methodology has constraints considering the new security challenges depicted in the past segment.  Data Analysis for Network Cyber-Security centers around checking and breaking down network traffic information, determined to forestall, or rapidly distinguishing, malicious action. Risk esteems were presented in an (ISMS) and quantitative assessment was directed for itemized risk evaluation. 4] PROPOSED APPROACH: A high level user-centric ML framework is proposed and assessed by genuine industry information to assess client chances. The framework can adequately decrease the assets to examine cautions physically while simultaneously improve enterprise security.  An original information designing cycle is offered which coordinates ready data, security logs, and SOC examiners examination notes to create includes and spread labels for ML models.  5] SYSTEM ARCHITECTURE:  6] PROPOSED METHODOLOGY:  CYBER ANALYSIS Cyber threat investigation is a cycle where the information on inside and outer data weaknesses appropriate to a specific association is coordinated against genuine world cyber-attacks. Concerning network safety, this danger situated way to deal with battling digital assaults addresses a smooth progress from a condition of responsive security to a condition of proactive one. In addition, the ideal aftereffect of a danger evaluation is to give best practices on the best way to expand the defensive instruments as for accessibility, classification and honesty, without turning around to convenience and usefulness conditions. CYPER ANALYSIS.A danger could be anything that prompts interference, intruding or annihilation of any significant help or thing existing in the association's collection. Regardless of whether of "human" or "nonhuman" beginning, the examination should investigate every component that might achieve possible security risk. DATASET MODIFICATION On the off chance that a dataset in your dashboard contains numerous dataset objects, you can shroud explicit dataset objects from show in the Datasets board. For instance, on the off chance that you choose to import a lot of information from a record, however don't eliminate each undesirable information segment prior to bringing the information into Web, you can conceal the undesirable ascribes and measurements, To stow away dataset objects in the Datasets board, To show stowed away items in the Datasets board, To rename a dataset object, To make a measurement dependent on a property, To make a characteristic dependent on a measurement, To characterize the geo job for a quality, To make a trait with extra time data, To supplant a dataset object in the dashboard DATA REDUCTION  Further develop storage proficiency through information decrease strategies and limit streamlining utilizing information reduplication, pressure, depictions and slender provisioning. Information decrease by means of basically erasing undesirable or superfluous information is the best method to reduce a storing’s data RISKY USER DETECTION False alert immunity to forestall client humiliation, High identification rate to shield a wide range of products from burglary, Wide-leave inclusion offers more prominent adaptability for entrance/leave formats, Wide scope of alluring plans supplement any store style, Sophisticated computerized regulator innovation for ideal framework execution 7] ALGORITHM: SUPPORT VECTOR MACHINE (SVM): SVM is a regulated AI calculation which can be utilized for both characterization and relapse difficulties. In any case, it is generally utilized in order issues.   R Satya Madhuri* et al.  (IJITR) INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGY AND RESEARCH Volume No.9, Issue No.5, August – September 2021, 9980 - 9982.  2320 –5547 @ 2013-2021 http://www.ijitr.com All rights Reserved. Page | 9982 8] RESULTS:  Time on task is the time span spent effectively engaged with an undertaking. Examination in this space is centered around factors engaged with keeping individuals "on task" in different settings and investigating factors that occupy individuals from focusing on the task.  Some pernicious programming goes about as an assistance, sitting tight for associations from a distant assailant to give them data or power over the machine. It is generally expected security practice to close unused ports in PCs, in order to hinder community to any administrations which may be running on the PC without the client's information, regardless of whether because of authentic administrations being misconfigured, or the presence of pernicious programming. 9] CONCLUSION: We present a user-centric ML framework which use large information of different security logs, ready data, and expert experiences to the ID of unsafe client. This framework gives a total structure and answer for unsafe client recognition for big business security operation center. 10] REFERENCES: 1. "The 6 Categories of Critical Log Information", SANS Technology Institute, 2013. 2. X. Li and B. Liu, "Learning to classify text using positive and unlabeled data", Proceedings of the 18th international joint conference on Artificial intelligence, 2003. 3. A. L. Buczak and E. Guven, "A survey of data mining and machine learning methods for cyber security intrusion detection", IEEE Communications Surveys & Tutorials, vol. 18.2, pp. 1153-1176, 2015. 4. S. Choudhury and A. Bhowal, "Comparative analysis of machine learning algorithms along with classifiers for network intrusion detection", Smart Technologies and Management for Computing Communication Controls Energy and Materials (ICSTM), 2015. 5. N. Chand et al., "A comparative analysis of SVM and its stacking with other classification algorithm for intrusion detection", Advances in Computing Communication & Automation (ICACCA), 2016. 6. K. Goeschel, "Reducing false positives in intrusion detection systems using data-mining techniques utilizing support vector machines decision trees and naive Bayes for off-line analysis", SoutheastCon, 2016. 7. M. J. Kang and J. W. Kang, "A novel intrusion detection method using deep neural network for in-vehicle network security", VehicularTechnology Conference, 2016.  AUTHOR’s PROFILE Ms. 𝗥. SATYA MADHURI is a student of PYDAH College of Engineering, Patavala, Kakinada, E.G,A.P. Presently she is pursuing her M.Tech[Computer Science and Engineering] from this college and she received her B.Tech from VSM College of Engineering, Ramachandrapuram, affiliated to JNT University, Kakinada in the year 2019.   Mr. K V V Ramana is a excellent teacher Received M.Tech(Computer Science and Engineering)from Aditya College of Engineering, Surampalem, affiliated to JNT University, Kakinada. He is working as Associate Professor in PYDAH College of Engineering. He has 7years of teaching experience in engineering colleges. His area of Interest includes Data Warehouse and Data Mining, information Security and other advances in Computer Applications.   

A Novel Data Engineering Process Which Integrates Alert Information, Security Logs, And SOC Analysts

https://www.ijitr.com/index.php/ojs/article/download/2722/pdf

A Novel Data Engineering Process Which Integrates Alert Information, Security Logs, And SOC Analysts

Abstract

Similar works

Full text

Available Versions

International Journal of Innovative Technology and Research (IJITR)