Skip to Main content Skip to Navigation
Conference papers

Dynamic security management driven by situations: An Exploratory analysis of logs for the identification of security situations

Abstract : Situation awareness consists of "the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future". Being aware of the security situation is then mandatory to launch proper security reactions in response to cybersecurity attacks. Security Incident and Event Management solutions are deployed within Security Operation Centers. Some vendors propose machine learning based approaches to detect intrusions by analysing networks behaviours. But cyberattacks like Wannacry and NotPetya, which shut down hundreds of thousands of computers, demonstrated that networks monitoring and surveillance solutions remain insufficient. Detecting these complex attacks (a.k.a. Advanced Persistent Threats) requires security administrators to retain a large number of logs just in case problems are detected and involve the investigation of past security events. This approach generates massive data that have to be analysed at the right time in order to detect any accidental or caused incident. In the same time, security administrators are not yet seasoned to such a task and lack the desired skills in data science. As a consequence, a large amount of data is available and still remains unexplored which leaves number of indicators of compromise under the radar. Building on the concept of situation awareness, we developed a situation-driven framework, called dynSMAUG, for dynamic security management. This approach simplifies the security management of dynamic systems and allows the specification of security policies at a high-level of abstraction (close to security requirements). This invited paper aims at exposing real security situations elicitation, coming from networks security experts, and showing the results of exploratory analysis techniques using complex event processing techniques to identify and extract security situations from a large volume of logs. The results contributed to the extension of the dynSMAUG solution.
Complete list of metadata

Cited literature [23 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-02942298
Contributor : Open Archive Toulouse Archive Ouverte (oatao) Connect in order to contact the contributor
Submitted on : Thursday, September 17, 2020 - 4:56:37 PM
Last modification on : Wednesday, June 9, 2021 - 10:00:27 AM
Long-term archiving on: : Thursday, December 3, 2020 - 10:22:20 AM

File

benzekri_26352_IEEE.pdf
Files produced by the author(s)

Identifiers

Citation

Abdelmalek Benzekri, Romain Laborde, Arnaud Oglaza, Darine Rammal, François Barrere. Dynamic security management driven by situations: An Exploratory analysis of logs for the identification of security situations. 3rd Cyber Security in Networking Conference (CSNet 2019), Oct 2019, Quito, Ecuador. pp.66, ⟨10.1109/CSNet47905.2019.9108976⟩. ⟨hal-02942298⟩

Share

Metrics

Record views

40

Files downloads

131