Design and Implementation of a Research and Education Cybersecurity Operations Center

  • C. DeCusatisEmail author
  • R. Cannistra
  • A. Labouseur
  • M. Johnson
Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)


The growing number and severity of cybersecurity threats, combined with a shortage of skilled security analysts, has led to an increased focus on cybersecurity research and education. In this article, we describe the design and implementation of an education and research Security Operations Center (SOC) to address these issues. The design of a SOC to meet educational goals as well as perform cloud security research is presented, including a discussion of SOC components created by our lab, including honeypots, visualization tools, and a lightweight cloud security dashboard with autonomic orchestration. Experimental results of the honeypot project are provided, including analysis of SSH brute force attacks (aggregate data over time, attack duration, and identification of well-known botnets), geolocation and attack pattern visualization, and autonomic frameworks based on the observe, orient, decide, act methodology. Directions for future work are also be discussed.


SOC Security Operations Center 



We gratefully acknowledge the support of Marist College and the New York State Cloud Computing and Analytic Center (CCAC), as well as support from the National Science Foundation under CC*DNI Integration (Area 4): Application-Aware Software-Defined Networks for Secure Cloud Services (SecureCloud) Award #1541384. We also gratefully acknowledge the support of Marist College IT staff and students in creating the SOC, including Bill Thirsk (former Marist CIO), Harry Williams (Marist CSO), Eric Weeda (former Marist IT staff), Roger Norton (Dean of the School of Computer Science and Mathematics) and Marist undergraduate students V. Joseph, P. Liengtiraphan, G. Leaden, T. Famularo, T. Magnusson, and M. Zimmermann.


  1. 1.
    Juniper Research Report (2018) The future of cybercrime and security: financial and corporate threats and mitigation. May 12, 2018, Last accessed 6 Dec 2018
  2. 2.
    U.S. Senate hearings on Global Threats and National Security (January 29, 2019), available from Last accessed 30 Jan 2019
  3. 3.
    U.S. Presidential Executive Order, strengthening the cybersecurity of federal networks and critical infrastructure (May 11, 2017) Last accessed 18 Dec 2018
  4. 4.
    Basken P (2017) Innovations in cybersecurity benefit graduates and the nation, Chronicle of Higher Education, February 26, 2017 Last accessed 20 Sept 2017
  5. 5.
    Eduventure study (2018) Market snapshot: cybersecurity bachelors and masters Last accessed 18 Dec 2018
  6. 6.
    Federal Cybersecurity Research and Development Strategic Plan (RDSP), 52 pages, National Science and Technology Council (February 2016) Last accessed 18 Dec 2018
  7. 7.
    Marist LongTail SSH Honeypot & Analytic Code available via IEEE Try-CybSi project, part of the IEEE Cybersecurity Initiative launched by the IEEE Computer Society and the IEEE Future Directions Committee (posted March 2016, last accessed Sept 2016)
  8. 8.
    Marist Innovation Lab GitHub site, Last accessed 11 Feb 2018
  9. 9.
    MondoPad homepage, Last accessed 11 Feb 2018
  10. 10.
    Marist Cybersecurity SOC (2018) Cybersecurity education, geolocation, and IBM QRadar, Last accessed 11 Feb 2018
  11. 11.
    Marist Cybersecurity SOC (2018) Cloud security and graph analytics last accessed 11 Feb 2018
  12. 12.
    Certified Ethical Hacker (2018) EC Council, Last accessed 11 Feb 2018
  13. 13.
    New York State Cybersecurity Certificate, the Institue of Data Center Professionals (IDCP), Last accessed 11 Feb 2018
  14. 14.
    CISSP certification, Last accessed 11 Feb 2018
  15. 15.
    Verizon 2018 data breach report, Last accessed 11 Feb 2018
  16. 16.
  17. 17.
    The Honeypot Project Last accessed 18 Dec 2018
  18. 18.
    Acalvio Technologies white paper (Fwd. by G. Eschelbeck), “The definitive guide to deception 2.0: cybersecurity manual for definitive deception solutions”, 60 pages (2017)Google Scholar
  19. 19.
    U.S. Dept. of Homeland Security and U.S. Computer Emergency Readiness Team, Glossary of Common Cybersecurity Terminology (2015)Google Scholar
  20. 20.
    “Cisco 2015 annual security report”, published by Cisco System Inc., Last accessed 9 Feb 2015
  21. 21.
    Joseph V, Liengtiraphan P, Leaden G, DeCusatis C (2017) A Software-Defined Network Honeypot with Geolocation and Analytic Data Collection. In: Proceeding of 12th annual IEEE/ACM information technology professional conference, Trenton, NJ (March 17, 2017)Google Scholar
  22. 22.
    DeCusatis C, Labouseur A, Famularo T, Heiden J, Leaden G, Magnusson T, Zimmermann M (2017) An API Honeypot for DDoS and XSS Analysis.In: Proceeding of NYIT 7th annual cybersecurity conference, New York, NY; Best Undergraduate Research Paper Award (Sept 23, 2017)Google Scholar
  23. 23.
    Leaden G, Zimmermann M, DeCusatis C, Labouseur A (2017) An API Honeypot for DDoS and XSS Analysis. Proceeding of IEEE/MIT undergraduate research technology conference, Cambridge, MA (Nov. 3–5 2017)Google Scholar
  24. 24.
    Labouseur A, Birnbaum J, Olsen P Jr, Spillane S, Vijayan J, Hwang J, Han W (2015) The G-Star graph database: efficiently managing large distributed dynamic graphs. ACM Distrib Parallel Databases 33(4):479–514CrossRefGoogle Scholar
  25. 25.
    Remote Firewall Web Server Last accessed 11 Feb 2018
  26. 26.
    Graylog open source log parser, Last accessed 11 Feb 2018
  27. 27.
    ELK stack (Elastisearch, Logstache, Kibana), Last accessed 11 Feb 2018
  28. 28.
    DeCusatis C, Zimmerman M, Sager A (2018) Identity based network security for commercial Blockchain services (IEEE XPlore Feature Article). In Proceeding of 8th annual IEEE Computing and Communications Workshop and Conference, Las Vegas, NV (8–10 Jan 2018)Google Scholar
  29. 29.
    IBM Qradar Security Software Documentation, online document. Last accessed 20 Sept 2017
  30. 30.
    Cisco Tetration Analytics, online document. Last accessed 20 Sept 2017
  31. 31.
    Krzywinski M (2018) Linear layout for visualization of networks: the end of hairballs. Proceeding of Genome Informatics 2010, Hinxton, UK (Sept 17, 2010), Last accessed 18 Dec 2018
  32. 32.
    Longtail in hive plots—J. Ma, “Machine learning applications in computational genomics”, Carnegie Mellon University, Last accessed 18 Dec 2018
  33. 33.
    Engle S, Whaelan S (2018) Visualizing distributed memory computations using hive plots. Proceeding of ACM 9th international symposium on visualization for cybersecurity, Seattle, WA (Oct 15, 2012), Last accessed 18 Dec 2018
  34. 34.
    Daubert versus Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579 (1993)Google Scholar
  35. 35.
    DeCusatis C, Carranza A, Ngaide A, Zafar S, Landaez N, An open digital forensics model based on CAINE. Proceeding of 15th IEEE International Conference on computer and information technology (CIT 2015), October 26–28, Liverpool, UKGoogle Scholar
  36. 36.
    Smith R (2014) Elemantary Information Security, 2nd edn. Jones and Bartlett PublishersGoogle Scholar
  37. 37.
    Boyd JR (1976) Destruction and creation. U.S. Army Command and General Staff College (3 Sept 1976)Google Scholar
  38. 38.
    DeCusatis C, Liengtiraphan P, Sager A, Pinelli M (2016) Implementing zero trust cloud networks with transport access control and first packet authentication. In: Proceeding IEEE International Conference on Smart Cloud (SmartCloud 2016), New York, NY (18–20 Nov 2016)Google Scholar
  39. 39.
    Labouseur A et al (2016) G* Studio: An adventure in graph databases, distributed systems, and software development. Inroads 7(2):58–66CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • C. DeCusatis
    • 1
    Email author
  • R. Cannistra
    • 1
  • A. Labouseur
    • 1
  • M. Johnson
    • 1
  1. 1.School of Computer Science and MathematicsMarist CollegeNew YorkUSA

Personalised recommendations