Skip to main content
SpringerLink
Log in

HuMa: A Multi-layer Framework for Threat Analysis in a Heterogeneous Log Environment

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10723))

Included in the following conference series:

Abstract

The advent of massive and highly heterogeneous information systems poses major challenges to professionals responsible for IT security. The huge amount of monitoring data currently being generated means that no human being or group of human beings can cope with their analysis. Furthermore, fully automated tools still lack the ability to track the associated events in a fine-grained and reliable way. Here, we propose the HuMa framework for detailed and reliable analysis of large amounts of data for security purposes. HuMa uses a multi-analysis approach to study complex security events in a large set of logs. It is organized around three layers: the event layer, the context and attack pattern layer, and the assessment layer. We describe the framework components and the set of complementary algorithms for security assessment. We also provide an evaluation of the contribution of the context and attack pattern layer to security investigation.

This work was partially supported by the French Banque Publique d’Investissement (BPI) under program FUI-AAP-19 in the frame of the HuMa project.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf.

  2. 2.

    https://nvd.nist.gov, http://cve.mitre.org, http://www.cvedetails.com.

  3. 3.

    http://capec.mitre.org.

  4. 4.

    https://www.splunk.com.

  5. 5.

    https://www.snort.org/.

References

  1. Abraham, S., Nair, S.: A predictive framework for cyber security analytics using attack graphs. Int. J. Comput. Netw. Commun. (2015). http://arxiv.org/abs/1502.01240

  2. Allodi, L., Massacci, F.: A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets. In: Proceedings of the 2012 ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2012, pp. 17–24. ACM, New York (2012). https://doi.org/10.1145/2382416.2382427

  3. Arnold, F., Hermanns, H., Pulungan, R., Stoelinga, M.: Time-dependent analysis of attacks. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 285–305. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_16

    Chapter  Google Scholar 

  4. Benali, F., Ubéda, S., Legrand, V.: Collaborative approach to automatic classification of heterogeneous information security. In: Second International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2008, pp. 294–299. IEEE (2008)

    Google Scholar 

  5. Camtepe, S., Yener, B.: Modeling and detection of complex attacks. In: SecureComm Third International Conference on Security and Privacy in Communications Networks and the Workshops, pp. 234–243, September 2007

    Google Scholar 

  6. Chen, B., Lee, J., Wu, A.S.: Active event correlation in Bro IDS to detect multi-stage attacks. In: Fourth IEEE International Workshop on Information Assurance (IWIA 2006), pp. 16–50. IEEE, London (2006)

    Google Scholar 

  7. Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Zúquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63–72. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44885-4_5

    Google Scholar 

  8. Chen, T.M., Abu-Nimeh, S.: Lessons from stuxnet. Computer 44(4), 91–93 (2011)

    Article  Google Scholar 

  9. Coudriau, M., Lahmadi, A., Francois, J.: Topological analysis and visualisation of network monitoring data: darknet case study. In: International Workshop on Information Forensics and Security (WIFS). IEEE, Abu Dhabi (2016)

    Google Scholar 

  10. Cui, Z., Herwono, I., Kearney, P.: Multi-stage attack modelling. In: Proceedings of Cyberpatterns 2013, pp. 78–89 (2013)

    Google Scholar 

  11. De Santis, G., Lahmadi, A., Francois, J., Festor, O.: Modeling of IP scanning activities with hidden Markov models: darknet case study. In: 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5. IEEE (2016)

    Google Scholar 

  12. Flåten, O., Lund, M.S.: How good are attack trees for modelling advanced cyber threats? Norw. Inf. Secur. Conf. (NISK) 7(1) (2014)

    Google Scholar 

  13. Friedberg, I., Skopik, F., Settanni, G., Fiedler, R.: Combating advanced persistent threats: from network event correlation to incident detection. Comput. Secur. 48, 35–57 (2015)

    Article  Google Scholar 

  14. Giura, P., Wang, W.: Using large scale distributed computing to unveil advanced persistent threats. Science 1(3), 93 (2013)

    Google Scholar 

  15. Kordy, B., Piètre-Cambacèdés, L., Schweitzer, P.: Dag-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14, 1–38 (2014)

    Article  MATH  Google Scholar 

  16. Kotenko, I., Chechulin, A.: A cyber attack modeling and impact assessment framework. In: 2013 5th International Conference on Cyber Conflict (CYCON 2013), pp. 1–24, June 2013

    Google Scholar 

  17. Lagraa, S., Legrand, V., Minier, M.: Behavioral change-based anomaly detection in computer networks using data mining. Int. J. Network Manag. (Submitted)

    Google Scholar 

  18. Le, Q., Mikolov, T.: Distributed representations of sentences and documents. In: Jebara, T., Xing, E.P. (eds.) Proceedings of the 31st International Conference on Machine Learning (ICML 2014), pp. 1188–1196. JMLR Workshop and Conference Proceedings (2014)

    Google Scholar 

  19. Legrand, V., State, R., Paffumi, L.: A dangerousness-based investigation model for security event management. In: The Third International Conference on Internet Monitoring and Protection, ICIMP 2008, pp. 109–118. IEEE (2008)

    Google Scholar 

  20. Legrand, V., Ubeda, S.: Enriched diagnosis and investigation models for security event correlation. In: Second International Conference on Internet Monitoring and Protection, ICIMP 2007, p. 1. IEEE (2007)

    Google Scholar 

  21. Legrand, V.: Confiance et risque pour engager un échange en milieu hostile. Ph.D. thesis, INSA-Lyon (2013)

    Google Scholar 

  22. Marchetti, M., Colajanni, M., Manganiello, F.: Identification of correlated network intrusion alerts. In: Third International Workshop on Cyberspace Safety and Security (CSS), pp. 15–20. IEEE, Milan (2011)

    Google Scholar 

  23. Mathew, S., Upadhyaya, S.: Attack scenario recognition through heterogeneous event stream analysis. In: IEEE Military Communications Conference (MILCOM), pp. 1–7. IEEE, Boston (2009)

    Google Scholar 

  24. Navarro-Lara, J., Deruyver, A., Parrend, P.: Morwilog: an ACO-based system for outlining multi-step attacks. In: IEEE Symposium Series on Computational Intelligence (SSCI). IEEE, Athens (2016)

    Google Scholar 

  25. Offroy, M., Duponchel, L.: Topological data analysis: a promising big data exploration tool in biology, analytical chemistry and physical chemistry. Anal. Chim. Acta 910, 1–11 (2016)

    Article  Google Scholar 

  26. Pearson, P., Muellner, D., Singh, G.: TDAmapper: Analyze High-Dimensional Data Using Discrete Morse Theory (2015). https://github.com/paultpearson/TDAmapper/, (R package version 1.0)

  27. Řehůřek, R., Sojka, P.: Software framework for topic modelling with large corpora. In: Proceedings of the LREC 2010 Workshop on New Challenges for NLP Frameworks, pp. 45–50. ELRA, Valletta, May 2010

    Google Scholar 

  28. Scarabeo, N., Fung, B.C., Khokhar, R.H.: Mining known attack patterns from security-related events. PeerJ Comput. Sci. 1, e25 (2015)

    Article  Google Scholar 

  29. Schneider, B.: Attack trees. Dr. Dobb’s J. 24, 21–29 (1999)

    Google Scholar 

  30. Sood, A.K., Enbody, R.J.: Targeted cyberattacks: a superset of advanced persistent threats. IEEE Secur. Priv. 11(1), 54–61 (2013)

    Google Scholar 

  31. Wang, L., Ghorbani, A., Li, Y.: Automatic multi-step attack pattern discovering. Int. J. Netw. Secur. (IJNS) 10(2), 142–152 (2010)

    Google Scholar 

  32. Zali, Z., Hashemi, M.R., Saidi, H.: Real-time attack scenario detection via intrusion detection alert correlation. In: 9th International ISC Conference on Information Security and Cryptology (ISCISC), pp. 95–102. IEEE, Tabriz (2012)

    Google Scholar 

  33. Zhang, S., Caragea, D., Ou, X.: An empirical study on using the national vulnerability database to predict software vulnerabilities. In: Hameurlain, A., Liddle, S.W., Schewe, K.-D., Zhou, X. (eds.) DEXA 2011. LNCS, vol. 6860, pp. 217–231. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23088-2_15

    Chapter  Google Scholar 

  34. Zhaowen, L., Shan, L., Yan, M.: Real-time intrusion alert correlation system based on prerequisites and consequence. In: 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM), pp. 1–5. IEEE, Chengdu City (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. ICube, Université de Strasbourg, Strasbourg, France

    Julio Navarro, Aline Deruyver & Pierre Parrend

  2. Complex System Digital Campus (UNESCO Unitwin), Paris, France

    Julio Navarro & Pierre Parrend

  3. ECAM Strasbourg-Europe, Schiltigheim, France

    Pierre Parrend

  4. CEDRIC, Conservation National des Arts en Métiers (CNAM), Paris, France

    Véronique Legrand, Nadira Lammari & Fayçal Hamdi

  5. Intrinsec Sécurité, Nanterre, France

    Véronique Legrand, Quentin Goux & Morgan Allard

  6. LORIA, Inria Nancy Grand-Est, Villers-lès-Nancy, France

    Sofiane Lagraa, Jérôme François, Abdelkader Lahmadi, Giulia De Santis & Olivier Festor

Authors
  1. Julio Navarro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Véronique Legrand
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sofiane Lagraa
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jérôme François
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Abdelkader Lahmadi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Giulia De Santis
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Olivier Festor
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Nadira Lammari
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Fayçal Hamdi
    View author publications

    You can also search for this author in PubMed Google Scholar

  10. Aline Deruyver
    View author publications

    You can also search for this author in PubMed Google Scholar

  11. Quentin Goux
    View author publications

    You can also search for this author in PubMed Google Scholar

  12. Morgan Allard
    View author publications

    You can also search for this author in PubMed Google Scholar

  13. Pierre Parrend
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Julio Navarro .

Editor information

Editors and Affiliations

  1. University of Lorraine, Villers-lès-Nancy, France

    Abdessamad Imine

  2. Polytechnique de Montréal, Montreal, Québec, Canada

    José M. Fernandez

  3. LORIA, Vandœuvre-lès-Nancy, France

    Jean-Yves Marion

  4. Université du Québec en Outaouais, Gatineau, Québec, Canada

    Luigi Logrippo

  5. Télécom SudParis, Evry Cedex, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Navarro, J. et al. (2018). HuMa: A Multi-layer Framework for Threat Analysis in a Heterogeneous Log Environment. In: Imine, A., Fernandez, J., Marion, JY., Logrippo, L., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2017. Lecture Notes in Computer Science(), vol 10723. Springer, Cham. https://doi.org/10.1007/978-3-319-75650-9_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-75650-9_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-75649-3

  • Online ISBN: 978-3-319-75650-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation