Download Scalable Processing and mIning of Complex Events for

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Document related concepts
no text concepts found
Transcript 
Scalable Processing and mIning of
Complex Events for
Security-analytics
Secur’IT kickoff – 8 sept 2015
Security Information and
Event Management
• Existing tools for security
monitoring
– SIM/SEM
– (Near) real-time event
monitoring
– Event correlation
– Data and user monitoring
– Behavioral profiling &
Anomaly detection
SIEM Magic Quadrant - Gartner (July 2015)
Observations: Current SIEMs
• Highly specialized systems
– Mainly aimed towards network security
– Integration with custom applications non-trivial
and often not supported
– Limited flexibility: predefined rules/rule templates
• Non-trivial to deploy
– Limited support for custom rule definition and
rule adaptation in a changing environment
SIEM in a broader context
• Monitoring and analyzing system behavior is
crucial for security operations in many other
domains:
– Fraud detection in financial transactions
– Sensitive data protection (e.g., customer support
centre)
– Industrial control systems
–…
Complex Event Processing (1/2)
• Setting: continuously arriving stream of events
• Goal: discern high-level events based on lowlevel events
Complex Event Processing (1/2)
• Setting: continuously arriving stream of events
• Goal: discern high-level events based on lowlevel events
connection from 192.168.10.4 dest_port=21
T
I
M
E
connection from 190.168.82.4 dest_port=80
connection from 192.168.10.4 dest_port=24
connection from 198.72.245.4 dest_port=80
connection from 190.168.82.4 dest_port=80
connection from 192.168.10.4 dest_port=45
Complex Event Processing (1/2)
• Setting: continuously arriving stream of events
• Goal: discern high-level events based on lowlevel events
connection from 192.168.10.4 dest_port=21
T
I
M
E
connection from 190.168.82.4 dest_port=80
connection from 192.168.10.4 dest_port=24
connection from 198.72.245.4 dest_port=80
connection from 190.168.82.4 dest_port=80
connection from 192.168.10.4 dest_port=45
Complex Event Processing (1/2)
• Setting: continuously arriving stream of events
• Goal: discern high-level events based on lowlevel events
connection from 192.168.10.4 dest_port=21
T
I
M
E
connection from 190.168.82.4 dest_port=80
connection from 192.168.10.4 dest_port=24
connection from 198.72.245.4 dest_port=80
connection from 190.168.82.4 dest_port=80
connection from 192.168.10.4 dest_port=45
port scan from
192.168.10.4
Complex Event Processing (2/2)
• CEP language: describe composite events
Upon
(Repeated 5 times:
(Login(User,Term1); Login(User,Term2))[5 min] & Term1<>Term2)[2 days]
Deduce: UserAccountHacked(User)
• Many different languages and online CEP
evaluation engines exist
– The “big data” era has recently introduced new
insights
Cugola, G., & Margara, A. (2012). Processing flows of information: From data stream to
complex event processing. ACM Computing Surveys (CSUR), 44(3), 15.
SPICES Goals
• Design of an open, reusable platform for complex
event mining, processing (CEP) and analytics
– More generic and flexible
– Easy to deploy, integrate with other applications
• Supporting the complete system’s life-cycle
– CEP Rule mining
– CEP Rule execution
– CEP Rule evolution
SPICES Technical Objectives
Design of an
Integrated, highlevel CEP
specification
language
Offline mining of
CEP patterns based
on historical,
labeled data
Scalable CEP
execution
(automatic optimization,
multi-core, distributed)
Online
“relearning” and
adaptation of
mined patterns
Gracefully adapt to
changes in rulesets
and workloads
Generic
framework
Based on
new CEP
language
Bus
architecture
SPICES Team (1/3)
CODE/WIT/DM
Data Mining:
• Rule induction
(pattern mining for sequence data)
• Concept drift detection and rule
modification
Toon Calders
Boris Cule
SPICES Team (2/3)
SOFTWARE LANGUAGES LAB
Software Engineering:
• Multicore computing
• Adaptation through Dynamic Metaprogramming
Wolfgang
De Meuter
Lode Hoste
SPICES Team (3/3)
CODE/WIT/QP
Database Query
Processing:
• CEP Language design
Stijn Vansummeren
Martin Ugarte
• CEP rule optimization and scalable
execution
Our User Committee
• Community of interested parties from industry
• We aim for close contact with User Committee
– Requirements analysis and driver scenarios
– Technology audit: input from sponsors/market
– Knowledge transfer: tutorials at half-yearly events
– Proof of concept implementation
• Interested? Please join!
SPICES - Summary
• Development of an open, reusable platform
for security event monitoring
–
–
–
–
–
Centered around CEP
Declarative, expressive CEP language
Offline rule induction
Online drift detection and rule adaptation
Scalable and adaptive execution engine through query
optimization and reactive meta-programming
• Bringing together necessary skills in Data
Mining, Querying, and Software Engineering
Related documents
Nona*s Homemade * Marketing Project * C Block Marketing Class
Nona*s Homemade * Marketing Project * C Block Marketing Class
Behavioral analysis
Behavioral analysis
An Initiative Approach to Determine STATE RAILWAY OF THAILAND
An Initiative Approach to Determine STATE RAILWAY OF THAILAND
Chapter 1: Protocols and Layers
Chapter 1: Protocols and Layers
Project brief 2007 COUNTRY: EGYPT PROJECT NAME: DAMIETTA
Project brief 2007 COUNTRY: EGYPT PROJECT NAME: DAMIETTA
Port Forwarding on Verizon Router
Port Forwarding on Verizon Router
Inside the CPU - Duquesne University
Inside the CPU - Duquesne University
How to Get Back to Growth
How to Get Back to Growth
Gigascope A stream database for network monitoring
Gigascope A stream database for network monitoring
Slide 1
Slide 1