随着中石油集团对智能钻井业务的重视和开展程度不断提高,钻井企业每天产生大量数据。这些数据不仅包含丰富的钻井相关知识,还涉及许多关乎国家和企业利益的战略或商业机密。因此,在数据爆炸和人工智能普及的新时代,对网络与数据安全的...随着中石油集团对智能钻井业务的重视和开展程度不断提高,钻井企业每天产生大量数据。这些数据不仅包含丰富的钻井相关知识,还涉及许多关乎国家和企业利益的战略或商业机密。因此,在数据爆炸和人工智能普及的新时代,对网络与数据安全的要求也日益提高。钻井企业天然具有布局分散、跨越地理区域广泛的特点,相比其他企业,构建安全壁垒的难度更大,需要更多的安全手段。文章提出了一种安全信息事件管理(SIEM,Security Information and Event Management)系统的实现方案。该系统在现有网络安全措施基础上,利用数据融合和机器学习算法扩展出新的系统,可以显著提高网络管理人员的工作效率,更及时准确地发现和处理潜在威胁,有效地加强了企业现有的安全屏障。展开更多
This paper describes the process of the implementation of SIEM (security information and event management) systems in IT environment and the impact of human factors on that process. In the introductory part of the p...This paper describes the process of the implementation of SIEM (security information and event management) systems in IT environment and the impact of human factors on that process. In the introductory part of the paper are listed security systems which are most often used in corporate environments, the key functionalities of SIEM systems and its importance in overall security of the IT environment. Then, the recommendations are listed for the successful implementation of SIEM systems, which goal is a higher level of corporate network environment security. It is further presented optimization of implementation of the SIEM systems through all stages. Further, the influence of the human factor is described in the implementation of these systems as well as the impact of human perceptions in correlations to the detection of attacks.展开更多
The need for SIEM (Security Information and even Management) systems increased in the last years. Many companies seek to reinforce their security capabilities to better safeguard against cybersecurity threats, so they...The need for SIEM (Security Information and even Management) systems increased in the last years. Many companies seek to reinforce their security capabilities to better safeguard against cybersecurity threats, so they adopt multi-layered security strategies that include using a SIEM solution. However, implementing a SIEM solution is not just an installation phase that fits any scenario within any organization;the best SIEM system for an organization may not be suitable at all for another one. An organization should consider other factors along with the technical side when evaluating a SIEM solution. This paper proposes an approach to aid enterprises, in selecting an applicable SIEM. It starts by suggesting the requirements that should be addressed in a SIEM using a systematic way, and then proposes a methodology for evaluating SIEM solutions that measures the compliance and applicability of any SIEM solution. This approach aims to support companies that are seeking to adopt SIEM systems into their environments, suggesting suitable answers to preferred requirements that are believed to be valuable prerequisites an SIEM system should have;and to suggest criteria to judge SIEM systems using an evaluation process composed of quantitative and qualitative methods. This approach, unlike others, is customer driven which means that customer needs are taken into account when following the whole approach, specifically when defining the requirements and then evaluating the suppliers’ solutions.展开更多
针对高级持续性威胁(advanced persistent threat,APT)攻击具有潜伏期长、隐蔽性高、针对性强、持续时间长的特点,提出了基于安全信息和事件管理(security information and event management,SIEM)系统的APT攻击检测框架.框架分为网络...针对高级持续性威胁(advanced persistent threat,APT)攻击具有潜伏期长、隐蔽性高、针对性强、持续时间长的特点,提出了基于安全信息和事件管理(security information and event management,SIEM)系统的APT攻击检测框架.框架分为网络边界日志分析和内部网络流量分析两大模块,网络边界日志分析模块采用大数据分析技术,实时对各类安全防护设备产生的海量异构安全日志和流量统一整合关联、采用特征码检测技术构建第一层恶意代码检测,在网络边界或主机边界形成对APT攻击的第一道防线;内部网络流量分析模块采用大数据分析技术对内部网络流量进行过滤、与边界日志分析模块联动、结合基于图编辑距离的静态同源分类技术构建第二层恶意代码检测,重点防御C&C加密信道、0day漏洞、变形木马.通过网络取证分析实现了全流量回溯技术发现异常、布隆算法过滤入侵行为、虚拟执行分析技术还原APT攻击事件,以此形成内部网络APT攻击防线.展开更多
Security Information and Event Management (SIEM) platforms are critical for organizations to monitor and manage their security operations centers. However, organizations using SIEM platforms have several challenges su...Security Information and Event Management (SIEM) platforms are critical for organizations to monitor and manage their security operations centers. However, organizations using SIEM platforms have several challenges such as inefficiency of alert management and integration with real-time communication tools. These challenges cause delays and cost penalties for organizations in their efforts to resolve the alerts and potential security breaches. This paper introduces a cybersecurity Alert Distribution and Response Network (Adrian) system. Adrian introduces a novel enhancement to SIEM platforms by integrating SIEM functionalities with real-time collaboration platforms. Adrian leverages the uniquity of mobile applications of collaboration platforms to provide real-time alerts, enabling a two-way communication channel that facilitates immediate response to security incidents and efficient SIEM platform management. To demonstrate Adrian’s capabilities, we have introduced a case-study that integrates Wazuh, a SIEM platform, to Slack, a collaboration platform. The case study demonstrates all the functionalities of Adrian including the real-time alert distribution, alert customization, alert categorization, and enablement of management activities, thereby increasing the responsiveness and efficiency of Adrian’s capabilities. The study concludes with a discussion on the potential expansion of Adrian’s capabilities including the incorporation of artificial intelligence (AI) for enhanced alert prioritization and response automation.展开更多
Internet services and web-based applications play pivotal roles in various sensitive domains, encompassing e-commerce, e-learning, e-healthcare, and e-payment. However, safeguarding these services poses a significant ...Internet services and web-based applications play pivotal roles in various sensitive domains, encompassing e-commerce, e-learning, e-healthcare, and e-payment. However, safeguarding these services poses a significant challenge, as the need for robust security measures becomes increasingly imperative. This paper presented an innovative method based on differential analyses to detect abrupt changes in network traffic characteristics. The core concept revolves around identifying abrupt alterations in certain characteristics such as input/output volume, the number of TCP connections, or DNS queries—within the analyzed traffic. Initially, the traffic is segmented into distinct sequences of slices, followed by quantifying specific characteristics for each slice. Subsequently, the distance between successive values of these measured characteristics is computed and clustered to detect sudden changes. To accomplish its objectives, the approach combined several techniques, including propositional logic, distance metrics (e.g., Kullback-Leibler Divergence), and clustering algorithms (e.g., K-means). When applied to two distinct datasets, the proposed approach demonstrates exceptional performance, achieving detection rates of up to 100%.展开更多
Over time, the world has transformed digitally and there is total dependence on the internet. Many more gadgets are continuously interconnected in the internet ecosystem. This fact has made the Internet a global infor...Over time, the world has transformed digitally and there is total dependence on the internet. Many more gadgets are continuously interconnected in the internet ecosystem. This fact has made the Internet a global information source for every being. Despite all this, attacker knowledge by cybercriminals has advanced and resulted in different attack methodologies on the internet and its data stores. This paper will discuss the origin and significance of Denial of Service (DoS) and Distributed Denial of Service (DDoS). These kinds of attacks remain the most effective methods used by the bad guys to cause substantial damage in terms of operational, reputational, and financial damage to organizations globally. These kinds of attacks have hindered network performance and availability. The victim’s network is flooded with massive illegal traffic hence, denying genuine traffic from passing through for authorized users. The paper will explore detection mechanisms, and mitigation techniques for this network threat.展开更多
基于统计型积分方程方法(Stochastic Integral Equation Method,SIEM)实现了高斯粗糙面的高效散射计算.与传统求解随机粗糙面散射特性的蒙特卡洛法(Monte Carlo Method,MC)相比,该方法采用统计面元格林函数,考虑粗糙面高斯随机分布的场...基于统计型积分方程方法(Stochastic Integral Equation Method,SIEM)实现了高斯粗糙面的高效散射计算.与传统求解随机粗糙面散射特性的蒙特卡洛法(Monte Carlo Method,MC)相比,该方法采用统计面元格林函数,考虑粗糙面高斯随机分布的场源耦合影响,只需要计算一次矩阵元素和待求未知量,提高了求解粗糙面问题的计算效率.数值结果显示,文中方法与MC吻合,计算效率得到显著提高.展开更多
Humans are commonly seen as the weakest link in corporate information security.This led to a lot of effort being put into security training and awareness campaigns,which resulted in employees being less likely the tar...Humans are commonly seen as the weakest link in corporate information security.This led to a lot of effort being put into security training and awareness campaigns,which resulted in employees being less likely the target of successful attacks.Existing approaches,however,do not tap the full potential that can be gained through these campaigns.On the one hand,human perception offers an additional source of contextual information for detected incidents,on the other hand it serves as information source for incidents that may not be detectable by automated procedures.These approaches only allow a text-based reporting of basic incident information.A structured recording of human delivered information that also provides compatibility with existing SIEM systems is still missing.In this work,we propose an approach,which allows humans to systematically report perceived anomalies or incidents in a structured way.Our approach furthermore supports the integration of such reports into analytics systems.Thereby,we identify connecting points to SIEM systems,develop a taxonomy for structuring elements reportable by humans acting as a security sensor and develop a structured data format to record data delivered by humans.A prototypical human-as-a-security-sensor wizard applied to a real-world use-case shows our proof of concept.展开更多
Humans are commonly seen as the weakest link in corporate information security.This led to a lot of effort being put into security training and awareness campaigns,which resulted in employees being less likely the tar...Humans are commonly seen as the weakest link in corporate information security.This led to a lot of effort being put into security training and awareness campaigns,which resulted in employees being less likely the target of successful attacks.Existing approaches,however,do not tap the full potential that can be gained through these campaigns.On the one hand,human perception offers an additional source of contextual information for detected incidents,on the other hand it serves as information source for incidents that may not be detectable by automated procedures.These approaches only allow a text-based reporting of basic incident information.A structured recording of human delivered information that also provides compatibility with existing SIEM systems is still missing.In this work,we propose an approach,which allows humans to systematically report perceived anomalies or incidents in a structured way.Our approach furthermore supports the integration of such reports into analytics systems.Thereby,we identify connecting points to SIEM systems,develop a taxonomy for structuring elements reportable by humans acting as a security sensor and develop a structured data format to record data delivered by humans.A prototypical human-as-a-security-sensor wizard applied to a real-world use-case shows our proof of concept.展开更多
文摘随着中石油集团对智能钻井业务的重视和开展程度不断提高,钻井企业每天产生大量数据。这些数据不仅包含丰富的钻井相关知识,还涉及许多关乎国家和企业利益的战略或商业机密。因此,在数据爆炸和人工智能普及的新时代,对网络与数据安全的要求也日益提高。钻井企业天然具有布局分散、跨越地理区域广泛的特点,相比其他企业,构建安全壁垒的难度更大,需要更多的安全手段。文章提出了一种安全信息事件管理(SIEM,Security Information and Event Management)系统的实现方案。该系统在现有网络安全措施基础上,利用数据融合和机器学习算法扩展出新的系统,可以显著提高网络管理人员的工作效率,更及时准确地发现和处理潜在威胁,有效地加强了企业现有的安全屏障。
文摘This paper describes the process of the implementation of SIEM (security information and event management) systems in IT environment and the impact of human factors on that process. In the introductory part of the paper are listed security systems which are most often used in corporate environments, the key functionalities of SIEM systems and its importance in overall security of the IT environment. Then, the recommendations are listed for the successful implementation of SIEM systems, which goal is a higher level of corporate network environment security. It is further presented optimization of implementation of the SIEM systems through all stages. Further, the influence of the human factor is described in the implementation of these systems as well as the impact of human perceptions in correlations to the detection of attacks.
文摘The need for SIEM (Security Information and even Management) systems increased in the last years. Many companies seek to reinforce their security capabilities to better safeguard against cybersecurity threats, so they adopt multi-layered security strategies that include using a SIEM solution. However, implementing a SIEM solution is not just an installation phase that fits any scenario within any organization;the best SIEM system for an organization may not be suitable at all for another one. An organization should consider other factors along with the technical side when evaluating a SIEM solution. This paper proposes an approach to aid enterprises, in selecting an applicable SIEM. It starts by suggesting the requirements that should be addressed in a SIEM using a systematic way, and then proposes a methodology for evaluating SIEM solutions that measures the compliance and applicability of any SIEM solution. This approach aims to support companies that are seeking to adopt SIEM systems into their environments, suggesting suitable answers to preferred requirements that are believed to be valuable prerequisites an SIEM system should have;and to suggest criteria to judge SIEM systems using an evaluation process composed of quantitative and qualitative methods. This approach, unlike others, is customer driven which means that customer needs are taken into account when following the whole approach, specifically when defining the requirements and then evaluating the suppliers’ solutions.
文摘针对高级持续性威胁(advanced persistent threat,APT)攻击具有潜伏期长、隐蔽性高、针对性强、持续时间长的特点,提出了基于安全信息和事件管理(security information and event management,SIEM)系统的APT攻击检测框架.框架分为网络边界日志分析和内部网络流量分析两大模块,网络边界日志分析模块采用大数据分析技术,实时对各类安全防护设备产生的海量异构安全日志和流量统一整合关联、采用特征码检测技术构建第一层恶意代码检测,在网络边界或主机边界形成对APT攻击的第一道防线;内部网络流量分析模块采用大数据分析技术对内部网络流量进行过滤、与边界日志分析模块联动、结合基于图编辑距离的静态同源分类技术构建第二层恶意代码检测,重点防御C&C加密信道、0day漏洞、变形木马.通过网络取证分析实现了全流量回溯技术发现异常、布隆算法过滤入侵行为、虚拟执行分析技术还原APT攻击事件,以此形成内部网络APT攻击防线.
文摘Security Information and Event Management (SIEM) platforms are critical for organizations to monitor and manage their security operations centers. However, organizations using SIEM platforms have several challenges such as inefficiency of alert management and integration with real-time communication tools. These challenges cause delays and cost penalties for organizations in their efforts to resolve the alerts and potential security breaches. This paper introduces a cybersecurity Alert Distribution and Response Network (Adrian) system. Adrian introduces a novel enhancement to SIEM platforms by integrating SIEM functionalities with real-time collaboration platforms. Adrian leverages the uniquity of mobile applications of collaboration platforms to provide real-time alerts, enabling a two-way communication channel that facilitates immediate response to security incidents and efficient SIEM platform management. To demonstrate Adrian’s capabilities, we have introduced a case-study that integrates Wazuh, a SIEM platform, to Slack, a collaboration platform. The case study demonstrates all the functionalities of Adrian including the real-time alert distribution, alert customization, alert categorization, and enablement of management activities, thereby increasing the responsiveness and efficiency of Adrian’s capabilities. The study concludes with a discussion on the potential expansion of Adrian’s capabilities including the incorporation of artificial intelligence (AI) for enhanced alert prioritization and response automation.
文摘Internet services and web-based applications play pivotal roles in various sensitive domains, encompassing e-commerce, e-learning, e-healthcare, and e-payment. However, safeguarding these services poses a significant challenge, as the need for robust security measures becomes increasingly imperative. This paper presented an innovative method based on differential analyses to detect abrupt changes in network traffic characteristics. The core concept revolves around identifying abrupt alterations in certain characteristics such as input/output volume, the number of TCP connections, or DNS queries—within the analyzed traffic. Initially, the traffic is segmented into distinct sequences of slices, followed by quantifying specific characteristics for each slice. Subsequently, the distance between successive values of these measured characteristics is computed and clustered to detect sudden changes. To accomplish its objectives, the approach combined several techniques, including propositional logic, distance metrics (e.g., Kullback-Leibler Divergence), and clustering algorithms (e.g., K-means). When applied to two distinct datasets, the proposed approach demonstrates exceptional performance, achieving detection rates of up to 100%.
文摘Over time, the world has transformed digitally and there is total dependence on the internet. Many more gadgets are continuously interconnected in the internet ecosystem. This fact has made the Internet a global information source for every being. Despite all this, attacker knowledge by cybercriminals has advanced and resulted in different attack methodologies on the internet and its data stores. This paper will discuss the origin and significance of Denial of Service (DoS) and Distributed Denial of Service (DDoS). These kinds of attacks remain the most effective methods used by the bad guys to cause substantial damage in terms of operational, reputational, and financial damage to organizations globally. These kinds of attacks have hindered network performance and availability. The victim’s network is flooded with massive illegal traffic hence, denying genuine traffic from passing through for authorized users. The paper will explore detection mechanisms, and mitigation techniques for this network threat.
文摘基于统计型积分方程方法(Stochastic Integral Equation Method,SIEM)实现了高斯粗糙面的高效散射计算.与传统求解随机粗糙面散射特性的蒙特卡洛法(Monte Carlo Method,MC)相比,该方法采用统计面元格林函数,考虑粗糙面高斯随机分布的场源耦合影响,只需要计算一次矩阵元素和待求未知量,提高了求解粗糙面问题的计算效率.数值结果显示,文中方法与MC吻合,计算效率得到显著提高.
文摘Humans are commonly seen as the weakest link in corporate information security.This led to a lot of effort being put into security training and awareness campaigns,which resulted in employees being less likely the target of successful attacks.Existing approaches,however,do not tap the full potential that can be gained through these campaigns.On the one hand,human perception offers an additional source of contextual information for detected incidents,on the other hand it serves as information source for incidents that may not be detectable by automated procedures.These approaches only allow a text-based reporting of basic incident information.A structured recording of human delivered information that also provides compatibility with existing SIEM systems is still missing.In this work,we propose an approach,which allows humans to systematically report perceived anomalies or incidents in a structured way.Our approach furthermore supports the integration of such reports into analytics systems.Thereby,we identify connecting points to SIEM systems,develop a taxonomy for structuring elements reportable by humans acting as a security sensor and develop a structured data format to record data delivered by humans.A prototypical human-as-a-security-sensor wizard applied to a real-world use-case shows our proof of concept.
文摘Humans are commonly seen as the weakest link in corporate information security.This led to a lot of effort being put into security training and awareness campaigns,which resulted in employees being less likely the target of successful attacks.Existing approaches,however,do not tap the full potential that can be gained through these campaigns.On the one hand,human perception offers an additional source of contextual information for detected incidents,on the other hand it serves as information source for incidents that may not be detectable by automated procedures.These approaches only allow a text-based reporting of basic incident information.A structured recording of human delivered information that also provides compatibility with existing SIEM systems is still missing.In this work,we propose an approach,which allows humans to systematically report perceived anomalies or incidents in a structured way.Our approach furthermore supports the integration of such reports into analytics systems.Thereby,we identify connecting points to SIEM systems,develop a taxonomy for structuring elements reportable by humans acting as a security sensor and develop a structured data format to record data delivered by humans.A prototypical human-as-a-security-sensor wizard applied to a real-world use-case shows our proof of concept.
