|
|
Development of correlation rules for detecting cyber attacks
Dzadíková, Slavomíra ; Safonov, Yehor (referee) ; Martinásek, Zdeněk (advisor)
The diploma thesis deals with the problem of efficient processing of log records and their subsequent analysis using correlation rules. The goal of the thesis was to implement log processing in a structured form, extract individual log fields using a natural language processing model by solving a question answering problem, and develop correlation rules for detecting malicious behavior. Two datasets were produced during the task solution, one with records from Windows devices, and the other containing records from the Fortigate firewall. Pre-trained models based on the BERT and XLNet architecture were created and trained to solve the log parsing problem using the produced datasets, and the results were analyzed and compared. The second part of the thesis was devoted to the development of correlation rules, where the concept of a generic Sigma notation was investigated. It was developed, successfully tested and deployed six correlation rules into own experimental environment in Elastic Stack system. Each rule is also described by tactics, techniques and sub-techniques of the MITRE ATT&CK framework.
|
|
| |
|
|
Web application for generalizing SIEM correlation rules
Matušicová, Viktória ; Mikulec, Marek (referee) ; Safonov, Yehor (advisor)
The risk of attacks on companies by organized crime increases as technology advances. Attacks that focus on modifying data or gaining access to a company's network are constantly developed. The sophisticated nature of advanced threats distinguishes them from broad-based attacks that rely on automated scripts. However, organizations can mitigate this risk by utilizing a combination of appropriate tools. These include network flow monitoring, probes for detecting and preventing attacks, and Security Information and Event Management (SIEM) tools for correlating incidents and events. By leveraging these tools, suspicious behavior in the network can be identified, and measures can be taken to prevent and mitigate the impact of cyber attacks. The main contribution of this thesis is the development of a web application that serves as a general tool for managing correlation rules across various SIEM solutions. Through the use of this web application, publicly available Sigma rules can be managed and converted into target SIEM solutions. Users are given the ability to save these rules to their personal user section, alongside SIEM conversions and visual representations of technique coverage based on categorization by MITRE ATT@CK and LogSource of stored user rules. The theoretical part of the thesis comprises an analysis of security monitoring issues, an explanation of the benefits of the Sigma platform and an analysis of the web application. A use case model is defined, functional and non-functional requirements are specified to describe the resulting system. Additionally, the analysis of available tools for converting Sigma rules is performed. The practical portion of the thesis begins with a focus on the design of the web application, including the architecture of both the server-side and client-side components, as well as an explanation of the core functionalities. The resulting solution is then implemented, with detailed procedures for creating microservices, client-side development, and launching the web application. The final state of the project summarizes the result. The thesis concludes with a testing phase, the client side of the web application is evaluated through functional user interface screenshots. The thesis also includes a demonstration of the process for testing Sigma rules, which involves converting the rules using the web application and subsequently carrying out functional verification using the RSA NetWitness SIEM test solution.
|
|
|
Development of correlation rules for detecting cyber attacks
Dzadíková, Slavomíra ; Safonov, Yehor (referee) ; Martinásek, Zdeněk (advisor)
The diploma thesis deals with the problem of efficient processing of log records and their subsequent analysis using correlation rules. The goal of the thesis was to implement log processing in a structured form, extract individual log fields using a natural language processing model by solving a question answering problem, and develop correlation rules for detecting malicious behavior. Two datasets were produced during the task solution, one with records from Windows devices, and the other containing records from the Fortigate firewall. Pre-trained models based on the BERT and XLNet architecture were created and trained to solve the log parsing problem using the produced datasets, and the results were analyzed and compared. The second part of the thesis was devoted to the development of correlation rules, where the concept of a generic Sigma notation was investigated. It was developed, successfully tested and deployed six correlation rules into own experimental environment in Elastic Stack system. Each rule is also described by tactics, techniques and sub-techniques of the MITRE ATT&CK framework.
|
|
| |
guest ::
