|
| |
|
|
Enhancing Security Monitoring with AI-Enabled Log Collection and NLP Modules on a Unified Open Source Platform
Safonov, Yehor ; Zernovic, Michal
The number of computer attacks continues to increasedaily, posing significant challenges to modern securityadministrators to provide security in their organizations. Withthe rise of sophisticated cyber threats, it is becoming increasinglydifficult to detect and prevent attacks using traditional securitymeasures. As a result, security monitoring solutions such asSecurity Information and Event Management (SIEM) have becomea critical component of modern security infrastructures. However,these solutions still face limitations, and administrators areconstantly seeking ways to enhance their capabilities to effectivelyprotect their cyber units. This paper explores how advanced deeplearning techniques can help boost security monitoring capabilitiesby utilizing them throughout all stages of log processing. Thepresented platform has the potential to fundamentally transformand bring about a significant change in the field of securitymonitoring with advanced AI capabilities. The study includes adetailed comparison of modern log collection platforms, with thegoal of determining the most effective approach. The key benefitsof the proposed solution are its scalability and multipurposenature. The platform integrates an open source solution andallows the organization to connect any event log sources or theentire SIEM solution, normalize and filter data, and use thisdata to train and deploy different AI models to perform differentsecurity monitoring tasks more efficiently.
|
|
|
Application for collecting security event logs from computer infrastructure
Žernovič, Michal ; Dobiáš, Patrik (oponent) ; Safonov, Yehor (vedoucí práce)
Computer infrastructure runs the world today, so it is necessary to ensure its security, and to prevent or detect cyber attacks. One of the key security activities is the collection and analysis of logs generated across the network. The goal of this bachelor thesis was to create an interface that can connect a neural network to itself to apply deep learning techniques. Embedding artificial intelligence into the logging process brings many benefits, such as log correlation, anonymization of logs to protect sensitive data, or log filtering for optimization a SIEM solution license. The main contribution is the creation of a platform that allows the neural network to enrich the logging process and thus increase the overall security of the network. The interface acts as an intermediary step to allow the neural network to receive logs. In the theoretical part, the thesis describes log files, their most common formats, standards and protocols, and the processing of log files. It also focuses on the working principles of SIEM platforms and an overview of current solutions. It further describes neural networks, especially those designed for natural language processing. In the practical part, the thesis explores possible solution paths and describes their advantages and disadvantages. It also analyzes popular log collectors (Fluentd, Logstash, NXLog) from aspects such as system load, configuration method, supported operating systems, or supported input log formats. Based on the analysis of the solutions and log collectors, an approach to application development was chosen. The interface was created based on the concept of a REST API that works in multiple modes. After receiving the records from the log collector, the application allows saving and sorting the records by origin and offers the user the possibility to specify the number of records that will be saved to the file. The collected logs can be used to train the neural network. In another mode, the interface forwards the logs directly to the AI model. The ingestion and prediction of the neural network are done using threads. The interface has been connected to five sources in an experimental network.
|
|
|
Modul na zpracování zpráv ze systému Mikrotik RouterOS pro IBM QRadar
Sysel, Václav ; Polčák, Libor (oponent) ; Hranický, Radek (vedoucí práce)
Cílem této práce je návrh a implementace rozšíření pro systém IBM QRadar. Jedná se o bezpečnostní systém, který za pomoci sběru informací z počítačové sítě detekuje kybernetické útoky. Smyslem rozšíření je umožnit sběr, zpracování a vizualizaci informací z operačního systému MikroTik RouterOS. Navržený software tak poskytuje administrátorům sítí s prvky MikroTik lepší povědomí o dění v chráněné síti a ucelený přehled o bezpečnostní situaci.
|
|
|
Suricata Module for IBM QRadar
Kozák, Martin ; Žádník, Martin (oponent) ; Hranický, Radek (vedoucí práce)
This work integrates the Suricata program into the QRadar system. The main objective of this work is to design and implement a DSM module in QRadar system that can analyze the records from Suricata. The events can then be investigated in the QRadar system environment. Another objective is to design an application that displays the data detected by the Suricata program. The application can be installed in the QRadar environment and used with other built-in components. The application is programmed in the Flask library using Jinja2 templates. The application includes two tabs that display events in different graphs and table.
|
|
|
Nástroj pro mapování aktiv počítačové infrastruktury a návrhu korelačních pravidel při realizaci bezpečnostního monitoringu
Hrabálek, Matěj ; Caha, Tomáš (oponent) ; Safonov, Yehor (vedoucí práce)
S rostoucí popularitou služby SOC, která často používá nástroje SIEM, vznikají i nové problémy týkající se implementace těchto nástrojů do jednotlivých infrastruktur, které mohou čelit kybernetickým útokům. Nástroje SIEM totiž dokáží detekovat kybernetické útoky pouze za předpokladu, že jsou správně nakonfigurované, tj. že sbírají správné logy. Tato bakalářská práce slouží k usnadnění procesu implementace SIEM do interní infrastruktury. Je v nich pojednáno o vhodné kategorizaci zdrojů logů a korelačních pravidel, pojmenování korelačních pravidel a je navržen systém mapování zdrojů logů na příslušná korelační pravidla, což usnadňuje implementaci SIEM do infrastruktury. Veškeré poznatky jsou poté implementovány do webové aplikace, která je praktickým výstupem této bakalářské práce. Webová aplikace umožňuje uživateli, který se chystá implementovat službu SIEM do vlastní infrastruktury, zadat údaje o dané infrastruktuře, tj. zejména zdroje logů, které mohou být v infrastruktuře generovány, a nabídne mu k příslušným zdrojům logů vhodná korelační pravidla včetně jejich pojmenování. V teoretické části je tak kromě logů, technologie SIEM a korelačních pravidel, pojednáno také o obecných poznatcích z kybernetické bezpečnosti nebo službě Security Operations Center.
|
|
|
Web application for development and maintenance of SIEM system correlation rules
Bielik, Oliver ; Mikulec, Marek (oponent) ; Safonov, Yehor (vedoucí práce)
Today’s world of technology is developing rapidly and constantly. Just as quickly, new risks are forming that threaten this sphere. For this reason, technologies need to be monitored and hazards prevented from entering systems. One of the technologies that helps this protection is a system called SIEM. This system serves as an investigative tool that allows security monitoring and investigations to be carried out. Security monitoring is carried out based on the correlation rules that are developed in security operations centers (SOC). Their task is to look for the potential dangers and report them. The main goal of the presented bachelor thesis is to create a tool that allows developers in SOC to easily develop correlation rules. The aim of the application is to simplify development and ensure a better overview of individual correlation rules. The theoretical part of the bachelor thesis focuses on the issue of security monitoring and explains it to the reader. It describes in more detail the functioning of the system and the work of SOC operators, whose job is the development of correlation rules as well. The practical part of the bachelor thesis is aimed at facilitating the development of these rules. The last part of the bachelor thesis is a conclusion, it briefly describes to the reader the observed facts and processing of the requirements for the bachelor thesis.
|
|
|
Návrh dílčí části systému pro monitoring bezpečnostních incidentů
Koch, Michael ; Neuwirth, Bernard (oponent) ; Novák, Lukáš (vedoucí práce)
Diplomová práce se zabývá implementací dílčí části informačního systému pro analýzu bezpečnostních incidentů v rámci firmy PwC. Systém slouží pro doplnění současného řešení, které zaostává vůči budoucím a stávajícím požadavkům. V první části jsou popsána teoretická východiska k pochopení konceptu práce a použité technologie, které byly použity v rámci implementace systému. Navazující kapitola obsahuje analýzu současného stavu existujícího systému. Na jakém principu pracuje a nedostatky, jež zapříčinily nutnost implementace nového řešení. Třetí kapitola se věnuje samotnému návrhu a realizaci nového řešení. V poslední části práce je provedeno ekonomické zhodnocení nákladů a přínosů řešení.
|
|
|
Security log anonymization tool focusing on artificial intelligence techniques
Šťastná, Ariela ; Jurek, Michael (oponent) ; Safonov, Yehor (vedoucí práce)
SIEM systems play a fundamental role in security monitoring. They aggregate, normalise, and filter the collected event records, which presents core tasks for applying data mining techniques. In this way, SIEMs present a great source of large amounts of normalised data. These data carry potential for achieving progress in security research, data mining, and artificial intelligence, where they could improve existing methods of investigation, make the scanning of network traffic more clear, and detect more sophisticated vectors of attack. However, one of the main problems for the use of these data is the fact that the data contained in log files are in many cases sensitive and could pose a risk to security. Due to this, the processing, as well as sharing of the data, is restricted by legislation. Considering everything that has been mentioned above, a tool for anonymization of sensitive data in log files, which works along with persisting the correlations among data was developed. The main aim of the bachelor thesis is to focus on the technical and legal level of log processing and anonymization for AI. Within the research, the analysis of the most frequently occurring data in the log files and their risk assessment was performed, resulting in the creation of categories of data, based on their sensitivity. In the work, an analysis of the present SIEM systems along with the meta keys they use is performed.
|
|
|
Web application for generalizing SIEM correlation rules
Matušicová, Viktória ; Mikulec, Marek (oponent) ; Safonov, Yehor (vedoucí práce)
The risk of attacks on companies by organized crime increases as technology advances. Attacks that focus on modifying data or gaining access to a company's network are constantly developed. The sophisticated nature of advanced threats distinguishes them from broad-based attacks that rely on automated scripts. However, organizations can mitigate this risk by utilizing a combination of appropriate tools. These include network flow monitoring, probes for detecting and preventing attacks, and Security Information and Event Management (SIEM) tools for correlating incidents and events. By leveraging these tools, suspicious behavior in the network can be identified, and measures can be taken to prevent and mitigate the impact of cyber attacks. The main contribution of this thesis is the development of a web application that serves as a general tool for managing correlation rules across various SIEM solutions. Through the use of this web application, publicly available Sigma rules can be managed and converted into target SIEM solutions. Users are given the ability to save these rules to their personal user section, alongside SIEM conversions and visual representations of technique coverage based on categorization by MITRE ATT@CK and LogSource of stored user rules. The theoretical part of the thesis comprises an analysis of security monitoring issues, an explanation of the benefits of the Sigma platform and an analysis of the web application. A use case model is defined, functional and non-functional requirements are specified to describe the resulting system. Additionally, the analysis of available tools for converting Sigma rules is performed. The practical portion of the thesis begins with a focus on the design of the web application, including the architecture of both the server-side and client-side components, as well as an explanation of the core functionalities. The resulting solution is then implemented, with detailed procedures for creating microservices, client-side development, and launching the web application. The final state of the project summarizes the result. The thesis concludes with a testing phase, the client side of the web application is evaluated through functional user interface screenshots. The thesis also includes a demonstration of the process for testing Sigma rules, which involves converting the rules using the web application and subsequently carrying out functional verification using the RSA NetWitness SIEM test solution.
|
host ::
RSS.