Stream computing for large-scale, multi-channel cyber threat analytics

Douglas L. Schales, Mihai Christodorescu, Xin Hu, Jiyong Jang, Josyula R. Rao, Reiner Sailer, Marc Ph Stoecklin, Wietse Venema, Ting Wang

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Scopus citations

Abstract

The cyber threat landscape, controlled by organized crime and nation states, is evolving rapidly towards evasive, multi-channel attacks, as impressively shown by malicious operations such as GhostNet, Aurora, Stuxnet, Night Dragon, or APT1. As threats blend across diverse data channels, their detection requires scalable distributed monitoring and cross-correlation with a substantial amount of contextual information. With threats evolving more rapidly, the classical defense life cycle of post-mortem detection, analysis, and signature creation becomes less effective. In this paper, we present a highly-scalable, dynamic cybersecurity analytics platform extensible at runtime. It is specifically designed and implemented to deliver generic capabilities as a basis for future cybersecurity analytics that effectively detect threats across multiple data channels while recording relevant context information, and that support automated learning and mining for new and evolving malware behaviors. Our implementation is based on stream computing middleware that has proven high scalability, and that enables cross-correlation and analysis of millions of events per second with millisecond latency. We report the lessons we have learned from applying stream computing to monitoring malicious activity across multiple data channels (e.g., DNS, NetFlow, ARP, DHCP, HTTP) in a production network of about fifteen thousand nodes.

Original languageEnglish (US)
Title of host publicationProceedings of the 2014 IEEE 15th International Conference on Information Reuse and Integration, IEEE IRI 2014
EditorsElisa Bertino, Bhavani Thuraisingham, Ling Liu, James Joshi
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages8-15
Number of pages8
ISBN (Electronic)9781479958801
DOIs
StatePublished - Feb 27 2014
Event15th IEEE International Conference on Information Reuse and Integration, IEEE IRI 2014 - San Francisco, United States
Duration: Aug 13 2014Aug 15 2014

Publication series

NameProceedings of the 2014 IEEE 15th International Conference on Information Reuse and Integration, IEEE IRI 2014

Conference

Conference15th IEEE International Conference on Information Reuse and Integration, IEEE IRI 2014
Country/TerritoryUnited States
CitySan Francisco
Period8/13/148/15/14

All Science Journal Classification (ASJC) codes

  • Information Systems

Fingerprint

Dive into the research topics of 'Stream computing for large-scale, multi-channel cyber threat analytics'. Together they form a unique fingerprint.

Cite this