TY - GEN
T1 - Stream computing for large-scale, multi-channel cyber threat analytics
AU - Schales, Douglas L.
AU - Christodorescu, Mihai
AU - Hu, Xin
AU - Jang, Jiyong
AU - Rao, Josyula R.
AU - Sailer, Reiner
AU - Stoecklin, Marc Ph
AU - Venema, Wietse
AU - Wang, Ting
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2014/2/27
Y1 - 2014/2/27
N2 - The cyber threat landscape, controlled by organized crime and nation states, is evolving rapidly towards evasive, multi-channel attacks, as impressively shown by malicious operations such as GhostNet, Aurora, Stuxnet, Night Dragon, or APT1. As threats blend across diverse data channels, their detection requires scalable distributed monitoring and cross-correlation with a substantial amount of contextual information. With threats evolving more rapidly, the classical defense life cycle of post-mortem detection, analysis, and signature creation becomes less effective. In this paper, we present a highly-scalable, dynamic cybersecurity analytics platform extensible at runtime. It is specifically designed and implemented to deliver generic capabilities as a basis for future cybersecurity analytics that effectively detect threats across multiple data channels while recording relevant context information, and that support automated learning and mining for new and evolving malware behaviors. Our implementation is based on stream computing middleware that has proven high scalability, and that enables cross-correlation and analysis of millions of events per second with millisecond latency. We report the lessons we have learned from applying stream computing to monitoring malicious activity across multiple data channels (e.g., DNS, NetFlow, ARP, DHCP, HTTP) in a production network of about fifteen thousand nodes.
AB - The cyber threat landscape, controlled by organized crime and nation states, is evolving rapidly towards evasive, multi-channel attacks, as impressively shown by malicious operations such as GhostNet, Aurora, Stuxnet, Night Dragon, or APT1. As threats blend across diverse data channels, their detection requires scalable distributed monitoring and cross-correlation with a substantial amount of contextual information. With threats evolving more rapidly, the classical defense life cycle of post-mortem detection, analysis, and signature creation becomes less effective. In this paper, we present a highly-scalable, dynamic cybersecurity analytics platform extensible at runtime. It is specifically designed and implemented to deliver generic capabilities as a basis for future cybersecurity analytics that effectively detect threats across multiple data channels while recording relevant context information, and that support automated learning and mining for new and evolving malware behaviors. Our implementation is based on stream computing middleware that has proven high scalability, and that enables cross-correlation and analysis of millions of events per second with millisecond latency. We report the lessons we have learned from applying stream computing to monitoring malicious activity across multiple data channels (e.g., DNS, NetFlow, ARP, DHCP, HTTP) in a production network of about fifteen thousand nodes.
UR - http://www.scopus.com/inward/record.url?scp=84946691061&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84946691061&partnerID=8YFLogxK
U2 - 10.1109/IRI.2014.7051865
DO - 10.1109/IRI.2014.7051865
M3 - Conference contribution
AN - SCOPUS:84946691061
T3 - Proceedings of the 2014 IEEE 15th International Conference on Information Reuse and Integration, IEEE IRI 2014
SP - 8
EP - 15
BT - Proceedings of the 2014 IEEE 15th International Conference on Information Reuse and Integration, IEEE IRI 2014
A2 - Bertino, Elisa
A2 - Thuraisingham, Bhavani
A2 - Liu, Ling
A2 - Joshi, James
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 15th IEEE International Conference on Information Reuse and Integration, IEEE IRI 2014
Y2 - 13 August 2014 through 15 August 2014
ER -