Publicação
Enhancing SOC threat detection and classification with ML
| Resumo: | The rise of the internet has brought a lot of positive aspects to our society. However, it has also created pathways for malicious actors to exploit organizations by damaging and stealing their assets. Consequently, organizations employ mechanisms that manage and boost their security. Especially Security Operation Centers (SOCs) popularity has increased for this reason. One of the SOCs’ priorities is to preemptively detect threats before they can damage the organization’s assets. However, SOCs and their tools can not catch up with these malicious actors’ novel, complex, and stealth strategies, primarily when relying on predefined rules with defined thresholds applied to the vast amounts of data generated within their environments. Anomaly detection empowered by Machine Learning (ML) can complement SOCs and their tools for detecting these threats by discovering hidden patterns in the vast amount of data generated within their environments. Although many works propose to use ML to detect threats, several rely on curated datasets or specific attack types. However, their performance will not necessarily correspond to the real world, where threats and expected behaviors of users are diverse and ever-evolving. Moreover, establishing a ground truth in these scenarios is often impossible due to the nature of the anomalies and vast amounts of data. Most also are not flexible enough to quickly adapt to the heterogeneity of data available. Another aspect that should be addressed when applying ML methodologies to perform anomaly and threat detection is that security analysts must manually investigate the detection results. The fact is that benign activity might also be anomalous. Despite this, manual analysis of anomalies that turn out to be caused by benign activity burdens security analysts. This work proposes an improved MLbased architecture to aid SOCs in threat detection in the vast amount of data. The architecture combines ML-based anomaly detection to filter out unusual behaviors with a second supervised ML layer that substitutes the security analysts’ classification of anomalies as benign or threatening. The solution was implemented and evaluated in a real-world SOC where Flow level data was used to test the architecture. So far, it has been possible to identify numerous behaviors that do not comply with the organization’s policies, such as using prohibited applications. Moreover, the system was tested against a set of attacks, including port scans, Denial of Service (DOS), and complex data exfiltration scenarios. The results of the tests demonstrate the system’s capability to detect attacks that the organization’s Security Information and Event Management (SIEM) system failed to detect. |
|---|---|
| Autores principais: | Pereira, Guilherme Amaral Ribeiro |
| Assunto: | Security Operation Centers Security information and event management Intrusion detection systems Machine learning Threat detection Anomaly detection Cyber security |
| Ano: | 2023 |
| País: | Portugal |
| Tipo de documento: | dissertação de mestrado |
| Tipo de acesso: | acesso embargado |
| Instituição associada: | Universidade de Aveiro |
| Idioma: | inglês |
| Origem: | RIA - Repositório Institucional da Universidade de Aveiro |
| Resumo: | The rise of the internet has brought a lot of positive aspects to our society. However, it has also created pathways for malicious actors to exploit organizations by damaging and stealing their assets. Consequently, organizations employ mechanisms that manage and boost their security. Especially Security Operation Centers (SOCs) popularity has increased for this reason. One of the SOCs’ priorities is to preemptively detect threats before they can damage the organization’s assets. However, SOCs and their tools can not catch up with these malicious actors’ novel, complex, and stealth strategies, primarily when relying on predefined rules with defined thresholds applied to the vast amounts of data generated within their environments. Anomaly detection empowered by Machine Learning (ML) can complement SOCs and their tools for detecting these threats by discovering hidden patterns in the vast amount of data generated within their environments. Although many works propose to use ML to detect threats, several rely on curated datasets or specific attack types. However, their performance will not necessarily correspond to the real world, where threats and expected behaviors of users are diverse and ever-evolving. Moreover, establishing a ground truth in these scenarios is often impossible due to the nature of the anomalies and vast amounts of data. Most also are not flexible enough to quickly adapt to the heterogeneity of data available. Another aspect that should be addressed when applying ML methodologies to perform anomaly and threat detection is that security analysts must manually investigate the detection results. The fact is that benign activity might also be anomalous. Despite this, manual analysis of anomalies that turn out to be caused by benign activity burdens security analysts. This work proposes an improved MLbased architecture to aid SOCs in threat detection in the vast amount of data. The architecture combines ML-based anomaly detection to filter out unusual behaviors with a second supervised ML layer that substitutes the security analysts’ classification of anomalies as benign or threatening. The solution was implemented and evaluated in a real-world SOC where Flow level data was used to test the architecture. So far, it has been possible to identify numerous behaviors that do not comply with the organization’s policies, such as using prohibited applications. Moreover, the system was tested against a set of attacks, including port scans, Denial of Service (DOS), and complex data exfiltration scenarios. The results of the tests demonstrate the system’s capability to detect attacks that the organization’s Security Information and Event Management (SIEM) system failed to detect. |
|---|