Comprehensive Security Framework for Global Threads Analysis

TL;DR

This paper introduces a comprehensive security framework that models security information and user behavior within information systems, significantly reducing event noise and effectively detecting legitimate attack actions.

Contribution

It proposes an architecture with an ontology for security activities and behavioral analysis, demonstrating effectiveness through experiments on real data.

Findings

Reduced event noise by 91%

Detected over 80% of legitimate attack actions

Validated framework effectiveness with real data experiments

Abstract

Cyber criminality activities are changing and becoming more and more professional. With the growth of financial flows through the Internet and the Information System (IS), new kinds of thread arise involving complex scenarios spread within multiple IS components. The IS information modeling and Behavioral Analysis are becoming new solutions to normalize the IS information and counter these new threads. This paper presents a framework which details the principal and necessary steps for monitoring an IS. We present the architecture of the framework, i.e. an ontology of activities carried out within an IS to model security information and User Behavioral analysis. The results of the performed experiments on real data show that the modeling is effective to reduce the amount of events by 91%. The User Behavioral Analysis on uniform modeled data is also effective, detecting more than 80% of legitimate actions of attack scenarios.