Abstract
Managed Security Services (MSS) have become an essential asset for companies to have in order to protect their infrastructure from hacking attempts such as unauthorized behaviour, denial of service (DoS), malware propagation, and anomalies. A proliferation of attacks has determined the need for installing more network probes and collecting more security-related events in order to assure the best coverage, necessary for generating incident responses. The increase in volume of data to analyse has created a demand for specific tools that automatically correlate events and gather them in pre-defined scenarios of attacks. Motivated by Above Security, a specialized company in the sector, and by National Research Council Canada (NRC), we propose a new data mining system that employs text mining techniques to dynamically relate security-related events in order to reduce analysis time, increase the quality of the reports, and automatically build correlated scenarios.
Highlights
Security Operations Centers (SOC) represent a cornerstone of contemporary security services and are at the core of Managed Security Services (MSS)
The system considerably increases the number of correlated and analyzed events included in an attack report prepared by security analysts for the clients
The proposed methodology automatically maps security-related events to pre-defined attack patterns. This means that security analysts have a much better understanding of the events being collected from a specific network because of their classification and the possibility to directly relate a raw event to a sequence of attack steps
Summary
Security Operations Centers (SOC) represent a cornerstone of contemporary security services and are at the core of Managed Security Services (MSS). Each sensor contains various security tools such as Intrusion Detection Systems (IDS), asset detection tools, flow analysis tools, etc. The said sensor tools analyze network traffic and send events to a central database (DB) repository for storage or further analysis. In order to improve overall attack coverage and satisfy the demand for more advanced service features, the volume of data that is collected in the sensor sensibly increases, and it becomes difficult for security analysts to maintain monitoring and analyzing increasingly large quantities of data without incurring Service Level Agreement (SLA) violations. This section first introduces the monitoring analysis process which is executed in Security Operation Centers (SOCs). The process consists of four different phases, described as follows:
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.