Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.5.1027

Real-time Abnormal Behavior Detection System based on Fast Data  

Lee, Myungcheol (Electronics and Telecommunications Research Institute)
Moon, Daesung (Electronics and Telecommunications Research Institute)
Kim, Ikkyun (Electronics and Telecommunications Research Institute)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.5, 2015 , pp. 1027-1041 More about this Journal
Abstract
Recently, there are rapidly increasing cases of APT (Advanced Persistent Threat) attacks such as Verizon(2010), Nonghyup(2011), SK Communications(2011), and 3.20 Cyber Terror(2013), which cause leak of confidential information and tremendous damage to valuable assets without being noticed. Several anomaly detection technologies were studied to defend the APT attacks, mostly focusing on detection of obvious anomalies based on known malicious codes' signature. However, they are limited in detecting APT attacks and suffering from high false-negative detection accuracy because APT attacks consistently use zero-day vulnerabilities and have long latent period. Detecting APT attacks requires long-term analysis of data from a diverse set of sources collected over the long time, real-time analysis of the ingested data, and correlation analysis of individual attacks. However, traditional security systems lack sophisticated analytic capabilities, compute power, and agility. In this paper, we propose a Fast Data based real-time abnormal behavior detection system to overcome the traditional systems' real-time processing and analysis limitation.
Keywords
APT; Fast Data; Abnormal Behavior Detection; Host Process Behavior; Apache Storm;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Verizon, "2010 data breach investigations report," 2010.
2 Colin Tankard, "Advanced persistent threats and how to monitor and deter them," Network Security, vol. 2011, no. 8, pp. 16-19, Aug. 2011.   DOI
3 Paul Giura and Wei Wang, "Using large scale distributed computing to unveil advanced persistent threats," Science Journal, vol. 1, no. 3, pp. 93-105, 2012.
4 Apache Hadoop Project, http://hadoop.apache.org/.
5 Apache Storm Project, http://storm.apache.org/.
6 Splunk, http://www.splunk.com/.
7 General Dynamics, "Proposal for R&D support of DARPA cyber genome program," Mar. 2010.
8 Sung-Hwan Ahn, Nam-Uk Kim, and Tai-Myoung Chung, "Big data analysis system concept for detecting unknown attacks," ICACT 2014, pp. 269-272, Feb. 2014.
9 Kim Jonghyeon, et al., "Trend of cyber security technology using Big Data," Electronic Communication Trend Analysis, vol. 28, 3rd Ed., June 2013.
10 Daesung Moon, Hansung Lee, and Ikkyun Kim, "Host based feature description method for detecting APT attack," Journal of The Korea Institute of Information Security & Cryptology, 24(5), pp. 839-850, Oct. 2014.   DOI
11 M.A. Beyer, A. Lapkin, N. Gall, D. Feinberg, and V.T. Sribar, "Big data is only the beginning of extreme information management," Gartner, Apr. 2011.
12 Ashish Thusoo, et al., "Hive - a warehousing solution over a Map-Reduce framework," VLDB 2009, vol. 2, no. 2, pp. 1626-1629, Aug. 2009.
13 NIST, "Guide for conducting risk assessments," Special Publication 800-30 Revision 1, Sep. 2009.
14 Symantec, "Symantec internet security threat report," Symantec, 2011.
15 Art Coviello, "Open letter to RSA customers," June 2011.
16 Gartner, "Big data," http://gartner.com/it-glossary/big-data.
17 Lambda Architecture, http://lambda-architecture.net/.
18 Hyunjoo Kim, Ikkyun Kim, and Tai-Myoung Chung, "Abnormal behavior detection technique based on big data," Lecture Notes in Electrical Engineering, vol. 301, pp. 553-563, Apr. 2014.
19 IBM QRadar, http://www-01.ibm.com/software/tivoli/products/security-operations-mgr/.
20 McAfee ESM, http://www.mcafee.com/us/products/enterprise-security-manager.aspx
21 IBM Security Intelligence with Big Data, http://www-03.ibm.com/security/solution/intelligence-big-data/.
22 Yeonhee Lee and Youngseok Lee, "Toward scalable Internet traffic measurement and analysis with Hadoop," ACM SIGCOMM Computer Communication Review, vol. 43, no. 1, pp. 6-13, Jan. 2013.
23 Daesu Choi, Giljong Moon, Yongmin Kim, and Bongnam Noh, "Large quantity of security log analysis using MapReduce," Journal of the Korean Institute of Information Technology, vol. 9, 8th Ed., Aug. 2011.
24 Ting-Fang Yen et al., "Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks," ACSAC 2013, pp. 199-208, Dec. 2013.
25 Ioan Raicu et al., "Falkon: a fast and light-weight task execution framework," ACM/IEEE Conference on Supercomputing, no. 43, Nov. 2007.
26 http://en.wikipedia.org/wiki/Zero-day_(computing)
27 Alissa Lorentz, "Big data, fast data, smart data," WIRED, Apr. 2013.
28 DCIG, "2014-2015 SIEM appliance buyer's guide," 2014.
29 IBM, "IBM Security QRadar SIEM - product overview," 2013.
30 NDM, "ArcSight ESM 7425," http://www.ndm.net/siem/arcsight/arcsight-esm, 2015.
31 Splunk, "Splunk performance guide v2.1," 2015.