Profile-based anomaly detection promises greater network security
Tue 1 Aug 2017
IT managers will soon be able to better protect their systems and expose cyber criminals more quickly, according to new network security developments at the Fraunhofer Institute.
A new study has revealed that IT professionals continue to struggle to find the right solutions for protecting their businesses and organisations from network breaches, as the number of indicators of potential attacks increase.
Fraunhofer is now working to develop profile-based anomaly detection in security information and event management systems (PA-SIEM). The Institute argues that while IT managers can collect security-related event logs, systems can also contain vast amounts of data on legitimate operations such as user log-ins and website visits.
‘It is simply not feasible for computer experts to fish out the alerts indicating a potential attack from this endless sea of data. In reality, SIEM systems often resemble data graveyards,’ it said.
The researchers argue that with PA-SIEM, users will be able to uncover attacks more quickly and effectively. ‘Instead of relying only on predefined rules to detect cyberattacks, PA-SIEM calculates typical attack patterns from incomplete or weak indicators,’ explained Rafael Uetz, a Fraunhofer researcher.
The study is based on a three-step process. Firstly, the SIEM software collects event logs from individual PCs and servers. Secondly, special algorithms are applied to scan the logs for anomalies or any known threat indicators.
‘But it’s essentially the third stage that makes the difference: we combine the indicators, which allows us to greatly reduce the error rate,’ added Uetz.
Fraunhofer explains that using traditional software, if an indicator is triggered by an attack in 90% of cases, the false-positive rate is 10%. If two of these indicators occur in quick succession – this rate is reduced from 10 to 1%. If a third incident happens, the false-positive rate is again reduced to just 0.1%.
The research argues that the attack on the German Parliament in 2015 followed a similar chain of events, referred to as an ‘intrusion kill chain’. The hack saw attackers first send a spear-phishing email to install malware, before capturing passwords and administrator credentials, giving them all the information they needed to steal, delete and manipulate data.
In cases like these, Fraunhofer believes that PA-SIEM software could have detected the whole incident much more effectively.