AKER: An open-source security platform integrating IDS and SIEM functions with encrypted traffic analytic capability

Abstract

ABSTRACT This research proposes Aker, an open-source security platform that integrates IDS and SIEM functions while supporting the automated investigation of threats hidden in encrypted traffic. Aker is based on open-source technologies, whose aim is to simplify and integrate network monitoring and security alerts management through coherent and interconnected dashboards. Aker enables the detection of malware concealed in encrypted traffic and uses a heuristic-based decision-tree model to classify these threats into different severity levels, based on seven specific criteria and indicators originating mainly from TLS handshake unencrypted metadata, and HTTP/ DNS contextual flows linked to the encrypted traffic. Our approach does not require deep packet inspection nor intensive traffic analysis, but rather relies on the analysis of a reduced set of network telemetry indicators and session descriptors. Aker permits to automate data collection and investigation while providing user-friendly dedicated dashboards to provide SOC analysts and threat intelligence experts with valuable decision support tools. We present the design and implementation aspects of the proposed platform along with some validation results.