|
|
Web application integrating artificial intelligence techniques into the correlation rule creation process
Šibor, Martin ; Caha, Tomáš (referee) ; Safonov, Yehor (advisor)
Currently, as digitalization becomes an integral part of all areas of our lives, the complexity and sophistication of cyber threats are constantly increasing. A key element in the fight against these cyber threats is security monitoring. An important tool for security monitoring are SIEM systems, which allow for early detection and response to potential attacks based on correlation rules. The main contribution of this work is the design and implementation of a web application that integrates artificial intelligence techniques into the process of creating and managing correlation rules for security monitoring systems, with the aim of streamlining the process of creating, modifying, and understanding correlation rules. The work first provides a theoretical introduction to the field of natural language processing and modern neural networks, particularly the transformer architecture, which is the basis of generative artificial intelligence models (e.g., ChatGPT, Gemini). It then introduces the principles of security monitoring, log management systems, the concept of correlation rule generalization, and, last but not least, the challenges associated with managing and maintaining correlation rules, which the integration of artificial intelligence into these processes significantly reduces. The practical part of the work describes the design and implementation of a web application that utilizes the gpt-4 and gpt-3.5-turbo models from OpenAI and the Gemini Ultra 1.0 model from Google for creating new correlation rules, modifying existing rules, and explaining and interpreting them for easier understanding and faster deployment. The application is designed with user-friendliness and efficiency in mind. The results of the work show that the integration of artificial intelligence into the correlation rule creation process brings significant efficiency improvements. The web application allows users to easily create and modify correlation rules. The application also allows users to better understand correlation rules, enabling them to respond to potential threats more quickly.
|
|
|
Development of correlation rules for detecting cyber attacks
Dzadíková, Slavomíra ; Safonov, Yehor (referee) ; Martinásek, Zdeněk (advisor)
The diploma thesis deals with the problem of efficient processing of log records and their subsequent analysis using correlation rules. The goal of the thesis was to implement log processing in a structured form, extract individual log fields using a natural language processing model by solving a question answering problem, and develop correlation rules for detecting malicious behavior. Two datasets were produced during the task solution, one with records from Windows devices, and the other containing records from the Fortigate firewall. Pre-trained models based on the BERT and XLNet architecture were created and trained to solve the log parsing problem using the produced datasets, and the results were analyzed and compared. The second part of the thesis was devoted to the development of correlation rules, where the concept of a generic Sigma notation was investigated. It was developed, successfully tested and deployed six correlation rules into own experimental environment in Elastic Stack system. Each rule is also described by tactics, techniques and sub-techniques of the MITRE ATT&CK framework.
|
|
| |
|
|
Web application for generalizing SIEM correlation rules
Matušicová, Viktória ; Mikulec, Marek (referee) ; Safonov, Yehor (advisor)
The risk of attacks on companies by organized crime increases as technology advances. Attacks that focus on modifying data or gaining access to a company's network are constantly developed. The sophisticated nature of advanced threats distinguishes them from broad-based attacks that rely on automated scripts. However, organizations can mitigate this risk by utilizing a combination of appropriate tools. These include network flow monitoring, probes for detecting and preventing attacks, and Security Information and Event Management (SIEM) tools for correlating incidents and events. By leveraging these tools, suspicious behavior in the network can be identified, and measures can be taken to prevent and mitigate the impact of cyber attacks. The main contribution of this thesis is the development of a web application that serves as a general tool for managing correlation rules across various SIEM solutions. Through the use of this web application, publicly available Sigma rules can be managed and converted into target SIEM solutions. Users are given the ability to save these rules to their personal user section, alongside SIEM conversions and visual representations of technique coverage based on categorization by MITRE ATT@CK and LogSource of stored user rules. The theoretical part of the thesis comprises an analysis of security monitoring issues, an explanation of the benefits of the Sigma platform and an analysis of the web application. A use case model is defined, functional and non-functional requirements are specified to describe the resulting system. Additionally, the analysis of available tools for converting Sigma rules is performed. The practical portion of the thesis begins with a focus on the design of the web application, including the architecture of both the server-side and client-side components, as well as an explanation of the core functionalities. The resulting solution is then implemented, with detailed procedures for creating microservices, client-side development, and launching the web application. The final state of the project summarizes the result. The thesis concludes with a testing phase, the client side of the web application is evaluated through functional user interface screenshots. The thesis also includes a demonstration of the process for testing Sigma rules, which involves converting the rules using the web application and subsequently carrying out functional verification using the RSA NetWitness SIEM test solution.
|
|
|
Development of correlation rules for detecting cyber attacks
Dzadíková, Slavomíra ; Safonov, Yehor (referee) ; Martinásek, Zdeněk (advisor)
The diploma thesis deals with the problem of efficient processing of log records and their subsequent analysis using correlation rules. The goal of the thesis was to implement log processing in a structured form, extract individual log fields using a natural language processing model by solving a question answering problem, and develop correlation rules for detecting malicious behavior. Two datasets were produced during the task solution, one with records from Windows devices, and the other containing records from the Fortigate firewall. Pre-trained models based on the BERT and XLNet architecture were created and trained to solve the log parsing problem using the produced datasets, and the results were analyzed and compared. The second part of the thesis was devoted to the development of correlation rules, where the concept of a generic Sigma notation was investigated. It was developed, successfully tested and deployed six correlation rules into own experimental environment in Elastic Stack system. Each rule is also described by tactics, techniques and sub-techniques of the MITRE ATT&CK framework.
|
|
| |
guest ::
