young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
[OPD 2019] Advanced Data Analysis in RegSOC
1. OWASP Poland Day
16.10.2019, Wrocław University of Science and Technology
Advanced Data Analysis
in RegSOC project
2. 16.10.2019
OWASP Poland Day, Wrocław
2
Plan
16.10.2019
OWASP Poland Day, Wrocław
Short procject introductionI
Anomaly detectionII
Advanced analysis of text
data
III
4. 16.10.2019
OWASP Poland Day, Wrocław
4
Project facts
Title: Regional Center for Cybersecurity (RegSOC)
Program: National program: CyberSecIdent - Cybersecurity and e-Identity, II Call
Co-financing agency: National Centre for Research and Development
Project duration: 01.03.2018 – 28.02.2021
Consortium: Wroclaw University of Science and Technology (WCSS) - The Leader
National Research Institute NASK
Łukasiewicz Research Network - Instytut of Innovative Technologies EMAG
Supporting entities: Gmina Złotoryja (urban, rural)
Rejonowe Przedsiębiorstwo Komunalne Spółka z o.o. in Złotoryja
The Municipal Council in Lądek-Zdrój
Association for the development of the information society „e-South”
Silesian ICT Cluster
DSS Operator SA
5. 16.10.2019
OWASP Poland Day, Wrocław
5
Gap identification
Independent reports indicate a significant number of
incidents in the public sphere compared to other
branches of the economy.
Directions of changes in cybersecurity at the
European, national and sectoral level are being set
and implemented (NIS Directive, GDPR,
Cybersecurity Strategy for Poland, The National
Cybersecurity System)
Source:
2017 Data Breach Investigations Report, Verizon
6. 16.10.2019
OWASP Poland Day, Wrocław
Gap identification
6
The most common problems related to ensuring
information security
Source: Supreme Audit Office Report, 2018
The amount of digital public data is growing
(educational, tax, spatial, geodetic, construction,
drivers and vehicles, population register, social
welfare, ...).
NIK raport (2016-2018) assesses the security of
electronic information resources as low in local
government units in the one of the Polish
Voivodeships.
There remains a significant gap at the local level
in terms of:
• regulations,
• funding,
• available competences.
7. 16.10.2019
OWASP Poland Day, Wrocław
7
Project goals
The goal of RegSOC Project is to prepare and initiate a prototype instance of the
model Regional Center for Cybersecurity (RegSOC) for public entities in Poland,
with ability of extending the cooperation to private sector.
In cooperation with national cybersecurity center – CSIRT NASK, the RegSOC
Centers may constitute an element of the multilevel system for cybersecurity of
Republic of Poland.
8. 16.10.2019
OWASP Poland Day, Wrocław
8
Expected results
Hardware&Software appliance for public entities, able to operate as standalone
autonomous device within local administration domain, as well as integrated with RegSOC;
The cybersecurity monitoring platform for needs of the RegSOC ecosystem. The platform
will be the software and organizational solution (management models and organizational
procedures);
The procedural and organizational model of operation of the regional centers in
cooperation with national level CSIRT NASK, along with the internal software integrating
RegSOC with National Cybersecurity Platform (NPC);
The model RegSOC instance initiated at the University, with client components deployed at
the selected entities interested in the project’s results;
The project final report pointing out the technical and economic possibilities of broad
deployment on Polish cybersecurity ecosystem and markets.
9. 16.10.2019
OWASP Poland Day, Wrocław
9
RegSOC ecosystem
Regional level (RegSOC) Central level
Monitoring platform
Analytical Center
CSRIT:
academic
CSRIT:
administration
SOC:
administration
SOC:
academic
data, information
CSIRT
NASK
Information
exchange platform
automaticdata
data, information
CSRIT:
sectoral /non-public
SOC:
business
SOC:
other ... National Cybersecurity
Platform
Target groups
Local goverment
units
Goverment
administration
Business (SME)
Academic entities
10. 16.10.2019
OWASP Poland Day, Wrocław
10
Research areas
Detection of IT system security threats using anomaly detection methods,
Detection of security breaches based on analysis of text data from additional
sources,
Tracking ongoing and identifying new spam campaigns.
12. 16.10.2019
OWASP Poland Day, Wrocław
12
Introduction
Anomaly is the behaviour, feature or state of object which is much different from
values which can be observed in the past.
OR
Anomaly is a pattern in the data that does not conform to the expected behaviour.
In order to make it possible, each protected system should have a profile of its
normal functioning, which describes the possible states and relationships between
the elements of the system at the moment when we consider it to be secure.
13. 16.10.2019
OWASP Poland Day, Wrocław
13
Real example
Network intrusion detection,
Credit card fraud,
Industrial damage detection,
Medical diagnostics,
Video surveillance.
14. 16.10.2019
OWASP Poland Day, Wrocław
14
Intrusion detection
The growing amount of data transmitted in the network and the emergence of
complex attack methods makes it difficult to prepare and maintain a database of
rules for traditional signature-based intrusion detection systems.
In this context, anomaly detection should be an important part of
a comprehensive cyber security protection system.
More and more "big players" in the SOC market are introducing anomaly
detection units in their centers.
15. 16.10.2019
OWASP Poland Day, Wrocław
15
Anomaly detection for intrusion detection
Major benefits:
• Detection of attacks for which signatures are difficult to create,
• Detection of unknown attacks,
• Detection of distributed/coordinated attacks.
Major limitations:
• Potential high false positive alarm rate,
• Constantly changing environment -> normal behaviour profile.
16. 16.10.2019
OWASP Poland Day, Wrocław
16
Key challenges
Normal behaviour keeps evolving,
The difference between an anomaly and normal behaviour is difficult to define,
Availability of labeled data,
Anomalies in different application domains cannot be described in the same way.
19. 16.10.2019
OWASP Poland Day, Wrocław
19
RegSOC approach
Algorithms selected for testing in the first stage of research on the anomaly
detection module:
• ABOD, algorithm analyzing the density of occurrences;
• kNN, clust;
• Ering algorithm;
• OCSVM, a method using a support vector machine to define a normal network traffic
model;
• Multi-layer neural network.
20. 16.10.2019
OWASP Poland Day, Wrocław
20
Recent progress
ABOD, kNN, OCSVM algorithms have been tested on datasets containing data
from TCP/IP and NetFlow protocol:
• High attacks detection rate,
• Low response time -> possibility to analyze large amounts of data after learning the
model,
• Still a relatively large number of false alarms.
21. 16.10.2019
OWASP Poland Day, Wrocław
21
III. Advanced analysis of text data
Speaker:
Piotr Stróż
16.10.2019
OWASP Poland Day, Wrocław
26. Facebook – public groups
Occurring content:
• Requests for cracking social media accounts (Facebook, Gmail), or a device password
(smartphone, laptop, server, router wifi).
• Invitation for hacking courses – links to Facebooks or external events.
• Refference to YouTube materials describing discovered loophole, tutorials, video
courses.
• Questions how to improve security of server, service, etc.
30. Abuse emails
Channel for reporting abusive
traffic that originate from our
organization:
Spam,
Malicious requests from servers,
Illegal file sharing.
Anyone can report an incydent.
Extract:
IP,
Type of attack,
Date,
Additional info, e.g. attacked IP.