The central task of a Security Incident and Event Manager (SIEM) or Managed Security Service Provider (MSSP) is to detect security incidents on the basis of tens of thousands of event types coming from many kinds of security products. We present Smoke Detector, which processes trillions of security events with the Random Walk with Restart (RWR) algorithm, inferring high order relationships between known security incidents and imperfect secondary security events (smoke) to .nd undiscovered security incidents (fire). By finding previously undetected incidents, Smoke Detector's RWR algorithm is able to increase the MSSP's critical incident count by 19% with a 1.3% FP rate. Perhaps equally importantly, our approach offers significant benefits beyond increased incident detection: (1) It provides a robust approach for leveraging Big Data sensor nets to increase adversarial resistance of protected networks; (2) Our event-scoring techniques enable efficient discovery of primary indicators of compromise; (3) Our con.dence scores provide intuition and tuning capabilities for Smoke Detector's discovered security incidents, aiding incident display and response.

Smoke detector: Cross-product intrusion detection withweak indicators

Dell'Amico M.;
2017-01-01

Abstract

The central task of a Security Incident and Event Manager (SIEM) or Managed Security Service Provider (MSSP) is to detect security incidents on the basis of tens of thousands of event types coming from many kinds of security products. We present Smoke Detector, which processes trillions of security events with the Random Walk with Restart (RWR) algorithm, inferring high order relationships between known security incidents and imperfect secondary security events (smoke) to .nd undiscovered security incidents (fire). By finding previously undetected incidents, Smoke Detector's RWR algorithm is able to increase the MSSP's critical incident count by 19% with a 1.3% FP rate. Perhaps equally importantly, our approach offers significant benefits beyond increased incident detection: (1) It provides a robust approach for leveraging Big Data sensor nets to increase adversarial resistance of protected networks; (2) Our event-scoring techniques enable efficient discovery of primary indicators of compromise; (3) Our con.dence scores provide intuition and tuning capabilities for Smoke Detector's discovered security incidents, aiding incident display and response.
2017
9781450353458
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11567/1070962
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 6
  • ???jsp.display-item.citation.isi??? 5
social impact