Information security is plagued with increasingly sophisticated and persistent threats to communication networks. The development of new threat tools or vulnerability exploits often outpaces advancements in network security detection systems. As a result, detection systems often compensate by over reporting partial detections of routine network activity to security analysts for further review. Such alarms seldom contain adequate forensic data for analysts to accurately validate alerts to other stakeholders without lengthy investigations. As a result, security analysts often ignore the vast majority of network security alarms provided by sensors, resulting in security breaches that may have otherwise been prevented.
Security Information and Event Management (SIEM) software has been introduced recently in an effort to enable data correlation across multiple sensors, with the intent of producing a lower number of security alerts with little forensic value and a higher number of security alerts that accurately reflect malicious actions. However, the normalization frameworks found in current SIEM systems do not accurately depict modern threat activities. As a result, recent network security research has introduced the concept of a "kill chain" model designed to represent threat activities based upon patterns of action, known indicators, and methodical intrusion phases. Such a model was hypothesized by many researchers to result in the realization of the desired goals of SIEM software. The focus of this thesis is the implementation of a "kill chain" framework within SIEM software. A novel "Kill chain" model was developed and implemented within a commercial SIEM system through modifications to the existing SIEM database. These modifications resulted in a new log ontology capable of normalizing security sensor data in accordance with modern threat research. New SIEM correlation rules were developed using the novel log ontology compared to existing vendor recommended correlation rules using the default model. The novel log ontology produced promising results indicating improved detection rates, more descriptive security alarms, and a lower number of false positive alarms. These improvements were assessed to provide improved visibility and more efficient investigation processes to security analysts ultimately reducing the mean time required to detect and escalate security incidents.
|Commitee:||Luo, Bo, Minden, Gary|
|School:||University of Kansas|
|Department:||Electrical Engineering and Computer Science|
|School Location:||United States -- Kansas|
|Source:||MAI 55/06M(E), Masters Abstracts International|
|Subjects:||Information science, Artificial intelligence, Computer science|
|Keywords:||Cyber forensics, Cyber security, Hackers, Incident response, Kill chain, SIEM|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be