|
|
Web application for visualization and analysis of correlation rules deployed in cyberspace
Závišková, Hana ; Říha, Kamil (referee) ; Safonov, Yehor (advisor)
In a world of constantly evolving modern technologies, there is a growing need of developing cyber security strategies to protect digital infrastructures as the number of cyber attacks is rapidly increasing. The main goal of the bachelor thesis is to create a tool for visualizing correlation rules of SIEM systems. The tool is implemented as an extension to an existing web application and aims to allow a security expert or application user to explore user Sigma rules according to different criteria and based on different views. From a theoretical point of view, the bachelor’s thesis focuses on introducing the reader to the basics of cyber security in terms of the motivation for providing security, explaining the basic concepts necessary to understand the content of the thesis and analyzing the perspectives in which cyber attacks can be viewed. It also contains a description of selected cyber attacks, the selection of which is based on the statistics of cyber attacks on the Czech Republic for the first three quarters of the year 2023. This is followed by an explanation of the principles of detection and prevention of cyber incidents, technologies for ensuring protection in cyberspace, including the issue of log sources and platforms for detecting information about threats and the principles of cyber incident investigation. This is followed by an introduction to the legal regulation of cyber security, including a description of ENISA recommendations. The practical part of the bachelor thesis is further divided into four chapters. In the first part, an analysis of available web frameworks that can be used in application development and an analysis of the rule visualization methods used in two modern SIEM solutions were performed. The second phase focuses on the design of different views that can be used to provide a pleasant, intuitive and interactive environment for displaying user rules. The visualization designs include the components available in the D3.js library and working with the MITRE ATT&CK matrix. The second phase also includes the creation of a structure for the layout of the elements in the web application. The third phase is oriented towards approaching the actual implementation of the appropriate views that result from the analysis performed in the second phase. It also includes a description of the experimental environment in which the application was developed and how the data was obtained. The last phase focuses on testing the visual part of the application from the user’s perspective. The whole thesis finishes with a conclusion, which summarizes the results of the bachelor’s thesis, which have been achieved, and suggestions for improving the application in the future.
|
|
|
Tool for generalizing automated SOAR scenarios for cybersecurity knowledge sharing
Ištoňová, Miriam ; Dobiáš, Patrik (referee) ; Safonov, Yehor (advisor)
Today’s era could be defined as quantity, speed and possibilities. Security monitoring centers have responded to the challenge of an unrelenting amount of information with monitoring and categorization tools such as SIEM. However, in case of incidents themselves, the speed and automation of response is offered by an advanced SOAR solution. Like any technology, SOAR offered by different companies also contributes to the variety of individual response scenario structures and formats, bringing the clear challenge of simplification, collaboration and generalization. Therefore, the bachelor thesis focuses on the implementation of a conversion tool, with the goal of unifying and generalizing the format of automated SOAR scenarios using the evolving CACAO playbook standard. The main benefit of the tool is the ability to unify the use of SOAR scenarios, ensure successful conversion and thus facilitate knowledge sharing in the field of cybersecurity. The theoretical part of this thesis focuses on the current issue of security monitoring, explains the importance of automation within incident response and offers a detailed analysis and comparison of available technologies and formats of automated incident response playbooks. The practical part is closely related and depends on the results of the analysis. It focuses on the selection and design of a suitable format for the description of the individual automatic response scenarios as well as the following final implementation of the conversion tool itself.
|
|
| |
|
|
Automated network for deceiving attackers through illusory assets in cyberspace
Maťaš, Matúš ; Lieskovan, Tomáš (referee) ; Safonov, Yehor (advisor)
The bachelor thesis deals with the design of a fake network to deceive attackers using SIEM to monitor network activity and SOAR to create scenarios with automatic countermeasures. The theoretical part of the thesis is describes the principles of attacker deception technologies, security monitoring and automated responses to security incidents. The practical part provides a detailed analysis of available tools for deceiving attackers. Subsequently, the design of a fake network is created with the use of virtual devices. The network incorporates a SIEM system for device monitoring and centralized log collection, and a SOAR system for creating scenarios with automatic countermeasures in the case of a security incident. The practical result of this work is the creation of a real network to deceive attackers with fake devices and the combination of advanced SIEM and SOAR solutions. Several attacks have been designed and simulated within this constructed network. Automated countermeasures have subsequently been created to respond to them.
|
|
|
Web application integrating artificial intelligence techniques into the correlation rule creation process
Šibor, Martin ; Caha, Tomáš (referee) ; Safonov, Yehor (advisor)
Currently, as digitalization becomes an integral part of all areas of our lives, the complexity and sophistication of cyber threats are constantly increasing. A key element in the fight against these cyber threats is security monitoring. An important tool for security monitoring are SIEM systems, which allow for early detection and response to potential attacks based on correlation rules. The main contribution of this work is the design and implementation of a web application that integrates artificial intelligence techniques into the process of creating and managing correlation rules for security monitoring systems, with the aim of streamlining the process of creating, modifying, and understanding correlation rules. The work first provides a theoretical introduction to the field of natural language processing and modern neural networks, particularly the transformer architecture, which is the basis of generative artificial intelligence models (e.g., ChatGPT, Gemini). It then introduces the principles of security monitoring, log management systems, the concept of correlation rule generalization, and, last but not least, the challenges associated with managing and maintaining correlation rules, which the integration of artificial intelligence into these processes significantly reduces. The practical part of the work describes the design and implementation of a web application that utilizes the gpt-4 and gpt-3.5-turbo models from OpenAI and the Gemini Ultra 1.0 model from Google for creating new correlation rules, modifying existing rules, and explaining and interpreting them for easier understanding and faster deployment. The application is designed with user-friendliness and efficiency in mind. The results of the work show that the integration of artificial intelligence into the correlation rule creation process brings significant efficiency improvements. The web application allows users to easily create and modify correlation rules. The application also allows users to better understand correlation rules, enabling them to respond to potential threats more quickly.
|
|
|
Advanced Web-based Tool for Managing Security Correlation Rules and Cybersecurity Responses
Hemza, Martin ; Firc, Anton (referee) ; Malinka, Kamil (advisor)
Cílem této bakalářské práce je vyvinout pokročilý webový nástroj pro správu bezpečnostních korelačních pravidel a kyberbezpečnostních reakcí, který se zaměřuje na technologie SIEM a SOAR. Důvodem vzniku této práce je absence standardizovaného formátu zdrojů těchto technologií. V rámci práce byly nalezeny právě takovéto formáty a byl vytvořen webový nástroj pro jejich správu a navrhování. Rozhraní pro správu SOAR scénářů zahrnuje vizualizaci ve formě rozhodovacího stromu. Aplikace využívá architekturu mikroslužeb s integrací verzovacího systému Git. Součástí testování byl proveden popis útoku a využití vzniklého nástroje. Vytvořený nástroj umožňuje bezpečnostním analytikům rychle navrhovat a spravovat zdroje pro detekci a odezvě na bezpečnostní hrozby.
|
|
|
Application for collecting security event logs from computer infrastructure
Žernovič, Michal ; Dobiáš, Patrik (referee) ; Safonov, Yehor (advisor)
Computer infrastructure runs the world today, so it is necessary to ensure its security, and to prevent or detect cyber attacks. One of the key security activities is the collection and analysis of logs generated across the network. The goal of this bachelor thesis was to create an interface that can connect a neural network to itself to apply deep learning techniques. Embedding artificial intelligence into the logging process brings many benefits, such as log correlation, anonymization of logs to protect sensitive data, or log filtering for optimization a SIEM solution license. The main contribution is the creation of a platform that allows the neural network to enrich the logging process and thus increase the overall security of the network. The interface acts as an intermediary step to allow the neural network to receive logs. In the theoretical part, the thesis describes log files, their most common formats, standards and protocols, and the processing of log files. It also focuses on the working principles of SIEM platforms and an overview of current solutions. It further describes neural networks, especially those designed for natural language processing. In the practical part, the thesis explores possible solution paths and describes their advantages and disadvantages. It also analyzes popular log collectors (Fluentd, Logstash, NXLog) from aspects such as system load, configuration method, supported operating systems, or supported input log formats. Based on the analysis of the solutions and log collectors, an approach to application development was chosen. The interface was created based on the concept of a REST API that works in multiple modes. After receiving the records from the log collector, the application allows saving and sorting the records by origin and offers the user the possibility to specify the number of records that will be saved to the file. The collected logs can be used to train the neural network. In another mode, the interface forwards the logs directly to the AI model. The ingestion and prediction of the neural network are done using threads. The interface has been connected to five sources in an experimental network.
|
|
|
The Design of the Maturity Model for Measuring Effectivity of the SIEM System in the Organisation
Kosková, Zdeňka ; Lukáš,, KUBÍK (referee) ; Ondrák, Viktor (advisor)
The bachelor‘s thesis addresses the issue of evaluating the effectiveness of the SIEM system in an industrial environment. The goal was to propose a methodology that uses a MITRE ATT&CK matrix for ICS for evaluation. The thesis first analyses existing solutions and their potential applications, followed by a description of monitoring evaluation in an energy company, which together with the matrix form the basis of the proposed solution. The main output of the thesis is a proposal for quantitative evaluation of individual techniques of the matrix, such as graphical interpretation and the possibility to share results securely with other CERT teams.
|
|
|
Development of correlation rules for detecting cyber attacks
Dzadíková, Slavomíra ; Safonov, Yehor (referee) ; Martinásek, Zdeněk (advisor)
The diploma thesis deals with the problem of efficient processing of log records and their subsequent analysis using correlation rules. The goal of the thesis was to implement log processing in a structured form, extract individual log fields using a natural language processing model by solving a question answering problem, and develop correlation rules for detecting malicious behavior. Two datasets were produced during the task solution, one with records from Windows devices, and the other containing records from the Fortigate firewall. Pre-trained models based on the BERT and XLNet architecture were created and trained to solve the log parsing problem using the produced datasets, and the results were analyzed and compared. The second part of the thesis was devoted to the development of correlation rules, where the concept of a generic Sigma notation was investigated. It was developed, successfully tested and deployed six correlation rules into own experimental environment in Elastic Stack system. Each rule is also described by tactics, techniques and sub-techniques of the MITRE ATT&CK framework.
|
|
| |
guest ::
