Threat intelligence as a service

Abstract

Identifying, treating and preventing attacks and security incidents in computer systems and information has become increasingly important and challenging. The exponential increase in the amount of digital information and electronic services also raises the risk of attacks, damage and destruction of information and services. The attacks may range from financial fraud, sabotage, theft of sensitive information, data corruption, privacy breaches, public exposures of confidential information, access to systems, denial of service, cyber stalking, identity theft, viruses, data hijacking (ransomware, industrial espionage, or even national security breaches.) The goals of these actions range from simple curiosity to criminal intent to financial or political gain. By systematically storing and analyzing information, one can retrieve important information that helps you answer important questions like "Who", "What", "How", "Where" and "Why". More than simply storing and retrieving information, it is possible to automate knowledge extraction by employing data mining and machine learning techniques, identifying emerging patterns, correlations, and useful facts that can help identify, mitigate, and prevent security incidents. The goal of this project is to investigate the use of data mining and machine learning algorithms for the development of a new service (Threat Intelligence as a Service - ThIaaS) which aims to help companies and client institutions to identify, mitigate, prevent attacks, security incidents and other vulnerabilities much more quickly and efficiently. The underlying research question is to investigate if the collaboration between the human intelligence (i.e., security experts), datamining and machine learning methods, and BigData technologies is capable of empowering human work on massive amounts of data on security incidents. The company has databases that continuously ingest large amounts of both, structured data (e.g., security incident records from the RIS system), and unstructured data (coming from the SIEM system) including event logs generated by various middleboxes such as firewalls, proxies, application servers, IPS and antivirus intrusion prevention systems, which can be analyzed to extract information that helps in the mitigation of security incidents. Our objectives include: (i) the developemnt of knowledge discovery methods (from security incident data) which can help security analists to from data learn continuously; (ii) to investigate the use of dat mining methods to automate (manual, repetitive, and error prone) processes which are currently executed manually by security analysts; (iii) to investigate how the knowledge can be transformed to be consumed by a large number of organizations to help them to improve cybersecurity by means of a scalable service; (iv) to bring novel techniques and the research practice to the enterprise culture. (AU)