This document presents a framework for security mechanisms when monitoring adaptive distributed systems. It discusses investigating existing monitoring tools to understand their security impacts. It proposes implementing a secure communication channel using RSA encryption when collecting sensitive monitoring data. It also discusses developing a customized monitoring tool that assigns security metrics to parameters and encrypts parameters deemed high-risk based on their security metric values, to balance monitoring with security. The goal is to minimize security risks from monitoring while still enabling systems to adapt based on collected data.
This document provides an overview of NIST SP 800-37, Revision 1, which establishes a risk management framework (RMF) for federal information systems. The RMF is a six-step process for managing risk to systems: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls continuously. The RMF aims to integrate security into system development lifecycles and provide near real-time risk management through continuous monitoring. It also links system-level risk management to the organizational level through a risk executive function.
This document discusses improving the security of a health care information system. It begins by describing vulnerabilities in software applications and how connected systems can be exploited. The document then proposes a 3-tier architecture with encryption and file replication to strengthen security. Database backups and regular vulnerability checks are also recommended to defend the system from attacks and allow recovery of data. The goal is to develop a secure electronic health records system that protects sensitive patient information.
Applicability of Network Logs for Securing Computer SystemsIDES Editor
Logging the events occurring on the network has
become very essential and thus playing a major role in
monitoring the events in order to keep check over them so
that they doesn’t harm any resources of the system or the
system itself. The analysis of network logs are becoming the
beneficial security research oriented field which will be desired
in the computer era. Organizations are reluctant to expose
their logs due to risk of attackers stealing the sensitive
information from their respective logs. In this paper we are
defining architecture and the security measures that can be
applied for a particular network log.
The document discusses implementing a real-time security monitoring and management system using open-source tools. It describes how intrusion detection systems (IDS) can detect attacks by closely monitoring network and system activities. The document then discusses how open-source tools like Snort can be used to build an IDS, providing real-time monitoring to detect intrusions and security violations. It analyzes some advantages and limitations of Snort compared to other open-source IDS tools. Specifically, Snort provides tested signatures and is portable but may face information overload from large rule databases.
Vulnerabilities detection using attack recognition technique in multi-factor ...TELKOMNIKA JOURNAL
Authentication is one of the essentials components of information security. It has become one of the most basic security requirements for network communication. Today, there is a necessity for a strong level of authentication to guarantee a significant level of security is being conveyed to the application. As such, it expedites challenging issues on security and efficiency. Security issues such as privacy and data integrity emerge because of the absence of control and authority. In addition, the bigger issue for multi-factor authentication is on the high execution time that leads to overall performance degradation. Most of existing studies related to multi-factor authentication schemes does not detect weaknesses based on user behavior. Most recent research does not look at the efficiency of the system by focusing only on improving the security aspect of authentication. Hence, this research proposes a new multi-factor authentication scheme that can withstand attacks, based on user behavior and maintaining optimum efficiency. Experiments have been conducted to evaluate this scheme. The results of the experiment show that the processing time of the proposed scheme is lower than the processing time of other schemes. This is particularly important after additional security features have been added to the scheme.
The document proposes an agent-based architecture for multi-level security incident reaction in distributed telecommunication networks. The architecture has three levels: a low level interface with the infrastructure, an intermediate level using multi-agent systems to correlate alerts and deploy reactions across domains, and a high level for global supervision and policy management. The architecture was designed based on requirements like scalability, availability, autonomy, and robust reaction and alert management across distributed systems. It was successfully tested for implementing data access control policies.
This document presents a framework for security mechanisms when monitoring adaptive distributed systems. It discusses investigating existing monitoring tools to understand their security impacts. It proposes implementing a secure communication channel using RSA encryption when collecting sensitive monitoring data. It also discusses developing a customized monitoring tool that assigns security metrics to parameters and encrypts parameters deemed high-risk based on their security metric values, to balance monitoring with security. The goal is to minimize security risks from monitoring while still enabling systems to adapt based on collected data.
This document provides an overview of NIST SP 800-37, Revision 1, which establishes a risk management framework (RMF) for federal information systems. The RMF is a six-step process for managing risk to systems: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls continuously. The RMF aims to integrate security into system development lifecycles and provide near real-time risk management through continuous monitoring. It also links system-level risk management to the organizational level through a risk executive function.
This document discusses improving the security of a health care information system. It begins by describing vulnerabilities in software applications and how connected systems can be exploited. The document then proposes a 3-tier architecture with encryption and file replication to strengthen security. Database backups and regular vulnerability checks are also recommended to defend the system from attacks and allow recovery of data. The goal is to develop a secure electronic health records system that protects sensitive patient information.
Applicability of Network Logs for Securing Computer SystemsIDES Editor
Logging the events occurring on the network has
become very essential and thus playing a major role in
monitoring the events in order to keep check over them so
that they doesn’t harm any resources of the system or the
system itself. The analysis of network logs are becoming the
beneficial security research oriented field which will be desired
in the computer era. Organizations are reluctant to expose
their logs due to risk of attackers stealing the sensitive
information from their respective logs. In this paper we are
defining architecture and the security measures that can be
applied for a particular network log.
The document discusses implementing a real-time security monitoring and management system using open-source tools. It describes how intrusion detection systems (IDS) can detect attacks by closely monitoring network and system activities. The document then discusses how open-source tools like Snort can be used to build an IDS, providing real-time monitoring to detect intrusions and security violations. It analyzes some advantages and limitations of Snort compared to other open-source IDS tools. Specifically, Snort provides tested signatures and is portable but may face information overload from large rule databases.
Vulnerabilities detection using attack recognition technique in multi-factor ...TELKOMNIKA JOURNAL
Authentication is one of the essentials components of information security. It has become one of the most basic security requirements for network communication. Today, there is a necessity for a strong level of authentication to guarantee a significant level of security is being conveyed to the application. As such, it expedites challenging issues on security and efficiency. Security issues such as privacy and data integrity emerge because of the absence of control and authority. In addition, the bigger issue for multi-factor authentication is on the high execution time that leads to overall performance degradation. Most of existing studies related to multi-factor authentication schemes does not detect weaknesses based on user behavior. Most recent research does not look at the efficiency of the system by focusing only on improving the security aspect of authentication. Hence, this research proposes a new multi-factor authentication scheme that can withstand attacks, based on user behavior and maintaining optimum efficiency. Experiments have been conducted to evaluate this scheme. The results of the experiment show that the processing time of the proposed scheme is lower than the processing time of other schemes. This is particularly important after additional security features have been added to the scheme.
The document proposes an agent-based architecture for multi-level security incident reaction in distributed telecommunication networks. The architecture has three levels: a low level interface with the infrastructure, an intermediate level using multi-agent systems to correlate alerts and deploy reactions across domains, and a high level for global supervision and policy management. The architecture was designed based on requirements like scalability, availability, autonomy, and robust reaction and alert management across distributed systems. It was successfully tested for implementing data access control policies.
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATIONacijjournal
AI-based security systems utilize big data and powerful machine learning algorithms to automate the security management task. The case study methodology is used to examine the effectiveness of AI-enabled security solutions. The result shows that compared with the signature-based system, AI-supported security applications are efficient, accurate, and reliable. This is because the systems are capable of reviewing and correlating large volumes of data to facilitate the detection and response to threats.
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATIONacijjournal
AI-based security systems utilize big data and powerful machine learning algorithms to automate the security management task. The case study methodology is used to examine the effectiveness of AI-enabled security solutions. The result shows that compared with the signature-based system, AI-supported security applications are efficient, accurate, and reliable. This is because the systems are capable of reviewing and correlating large volumes of data to facilitate the detection and response to threats.
INTRUSION DETECTION SYSTEM USING CUSTOMIZED RULES FOR SNORTIJMIT JOURNAL
This document proposes an intrusion detection system using customized rules for the Snort tool to improve security. The system uses Wireshark to scan network traffic for anomalies, Snort to detect attacks using customized rulesets for faster response times, and Wazuh and Splunk to analyze log files. Rules are created using the Snorpy tool and added to Snort to monitor for specific attacks like ICMP ping impersonation and authentication attempts. When attacks are attempted, the system successfully detects them and logs the alerts. The integration of these tools provides low-cost intrusion detection capabilities with automated threat identification and faster response compared to existing Snort configurations.
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
Nowadays, use of wireless technology in organizations is a regular act, and we can see this technology erupted in all possible different areas. Related to employing wireless technology those organizations need to apply properly security level, depend on security policy which already defined. If security system applied but not required, or security system required but not provided, leads to improper security system. In this paper we have shown the way to evaluate the data significant and their appropriate security level. Here a model to evaluate the cost of data on security point of view by consideration of some parameters like sensitivity, volume, life, frequency, etc…, this research makes organizations to predict and implement or understand the cost involved for security of their data by measuring the data value. We used questionnaire and survey methodologies to collect the data; and then used SPSS and SAS program to calculate and design a model. In this way regression and BOOTSTARP help us to find accurate result.
Attacks on the enterprise are getting increasingly sophisticated. Current solutions available do not seem to be adequate given the innovativeness, precision and persistence of these attacks in different forms and of different dimensions. Organisations thus want to increase the sophistication of their employees and also of the solutions to be deployed given this backdrop.
This document outlines a 5-step process for managing organizational ICT security:
1. Identify the organization's business objectives to ensure ICT resources support them.
2. Identify all ICT resources, including network infrastructure, servers, user devices, and hardware.
3. Identify and assess risks to ICT resources, such as theft, damage, and unauthorized access, and prioritize them based on likelihood and cost.
4. Develop activities to mitigate risks through a 7-layered approach involving policies, physical security, perimeter controls, internal access management, host protection, and application hardening.
5. Implement and monitor the security program with roles for the CIO, CISO, ICT
Navigating the complex Risk Management Framework (RMF) requirements can be daunting. Learn best practices and gain a better understanding of NIST's RMF.
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS IJNSA Journal
Nowadays, corporations and a government agencies relay on computer-based information system to manage their information, this information may be classified, so it will be dangerous if it is disclosed by unauthorized persons. Therefore, there is urgent need for defense. In this research, defense has been categorized into four mechanisms technical defense, operation defense, management defense, and physical defense based on the logic of computer and network security. Also, each mechanism has been investigated and explained in the term of computer based information systems.
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...IRJET Journal
This document discusses the importance of cybersecurity awareness training for organizations and proposes an effective training model. It analyzes how artificial intelligence (AI) can enhance security awareness programs. Specifically, it examines the Technology Acceptance Model (TAM) and how AI-enabled tools like the viCyber system can help design training based on the National Initiative for Cybersecurity Education (NICE) framework. The study concludes that regular, comprehensive security awareness training is critical to address the human factors that can weaken an organization's cyber defenses. AI tools show promise in developing trainings but require further evaluation of their usability and reliability.
This document proposes a multi-agent architecture for incident reaction in information system security. The architecture has three layers - low level interacts directly with the infrastructure, intermediate level correlates alerts and deploys reaction actions using multi-agent systems, and high level provides supervision and manages business policies. The architecture was tested for data access control and aims to quickly and efficiently react to attacks while ensuring policy compliance. The document discusses requirements like scalability, autonomy, and global supervision. It also describes the key components of alert management, reaction decision making, and policy definition/deployment to implement the architecture using a multi-agent approach.
Multi agents based architecture for is security incident reactionchristophefeltus
This document proposes a multi-agent architecture for responding to security incidents in information systems. The architecture has three layers: a low level that interfaces with the targeted infrastructure, an intermediate level that correlates alerts and deploys response actions using multi-agent systems, and a high level that provides supervision and manages business policies. The architecture was designed based on requirements like scalability, availability, autonomy, and global supervision. It aims to quickly and efficiently respond to attacks while ensuring responses do not violate business policies. The document then discusses using a multi-agent system with JADE to represent nodes in the architecture and facilitate communication and coordination between components for selecting and deploying response policies.
chapter 3 ethics: computer and internet crimemuhammad awais
This document discusses security risk assessment for a group project. It lists the group members and outlines the 8 steps to perform a security risk assessment. These include identifying assets, threats, likelihood and impacts of threats, and mitigation options. It emphasizes the importance of a complete inventory and using qualified experts. The document also covers defining security policies, prevention methods like firewalls and antivirus software, detection using IDS, and response including documentation, containment and follow up reviews.
Include at least 250 words in your posting and at least 250 words inmaribethy2y
Include at least 250 words in your posting and at least 250 words in your reply. Indicate at least one source or reference in your original post. Please see syllabus for details on submission requirements.
Module 1 Discussion Question
Search "scholar.google.com" for a company, school, or person that has been the target of a network
or system intrusion? What information was targeted? Was the attack successful? If so, what changes
were made to ensure that this vulnerability was controlled? If not, what mechanisms were in-place to protect against the intrusion.
Reply-1(Shravan)
Introduction:
Interruption location frameworks (IDSs) are programming or equipment frameworks that robotize the way toward observing the occasions happening in a PC framework or system, examining them for indications of security issues. As system assaults have expanded in number and seriousness in the course of recent years, interruption recognition frameworks have turned into an essential expansion to the security foundation of generally associations. This direction archive is planned as a preliminary in interruption recognition, created for the individuals who need to comprehend what security objectives interruption location components serve, how to choose and design interruption discovery frameworks for their particular framework and system situations, how to deal with the yield of interruption identification frameworks, and how to incorporate interruption recognition capacities with whatever remains of the authoritative security foundation. References to other data sources are likewise accommodated the peruse who requires particular or more point by point guidance on particular interruption identification issues.
In the most recent years there has been an expanding enthusiasm for the security of process control and SCADA frameworks. Moreover, ongoing PC assaults, for example, the Stunt worm, host appeared there are gatherings with the inspiration and assets to viably assault control frameworks.
While past work has proposed new security components for control frameworks, few of them have investigated new and in a general sense distinctive research issues for anchoring control frameworks when contrasted with anchoring conventional data innovation (IT) frameworks. Specifically, the complexity of new malware assaulting control frameworks - malware including zero-days assaults, rootkits made for control frameworks, and programming marked by confided in declaration specialists - has demonstrated that it is exceptionally hard to avert and identify these assaults dependent on IT framework data.
In this paper we demonstrate how, by joining information of the physical framework under control, we can distinguish PC assaults that change the conduct of the focused on control framework. By utilizing information of the physical framework we can center around the last goal of the assault, and not on the specific instruments of how vulnerabilities are misused, and how ...
Exploring network security threats through text mining techniques: a comprehe...CSITiaesprime
In response to the escalating cybersecurity threats, this research focuses on leveraging text mining techniques to analyze network security data effectively. The study utilizes user-generated reports detailing attacks on server networks. Employing clustering algorithms, these reports are grouped based on threat levels. Additionally, a classification algorithm discerns whether network activities pose security risks. The research achieves a noteworthy 93% accuracy in text classification, showcasing the efficacy of these techniques. The novelty lies in classifying security threat report logs according to their threat levels. Prioritizing high-risk threats, this approach aids network management in strategic focus. By enabling swift identification and categorization of network security threats, this research equips organizations to take prompt, targeted actions, enhancing overall network security.
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMSIJNSA Journal
Nowadays, corporations and a government agencies relay on computer-based information system to
manage their information, this information may be classified, so it will be dangerous if it is disclosed by
unauthorized persons. Therefore, there is urgent need for defense. In this research, defense has been
categorized into four mechanisms technical defense, operation defense, management defense, and physical
defense based on the logic of computer and network security. Also, each mechanism has been investigated
and explained in the term of computer based information systems.
An Empirical Study on the Security Measurements of Websites of Jordanian Publ...CSCJournals
Most of the Jordanian universities’ inquiries systems, i.e. educational, financial, administrative, and research systems are accessible through their campus networks. As such, they are vulnerable to security breaches that may compromise confidential information and expose the universities to losses and other risks. At Jordanian universities, security is critical to the physical network, computer operating systems, and application programs and each area has its own set of security issues and risks. This paper presents a comparative study on the security systems at the Jordanian universities from the viewpoint of prevention and intrusion detection. Robustness testing techniques are used to assess the security and robustness of the universities’ online services. In this paper, the analysis concentrates on the distribution of vulnerability categories and identifies the mistakes that lead to a severe type of vulnerability. The distribution of vulnerabilities can be used to avoid security flaws and mistakes.
IOSR Journal of Electronics and Communication Engineering(IOSR-JECE) is an open access international journal that provides rapid publication (within a month) of articles in all areas of electronics and communication engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in electronics and communication engineering. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
This document discusses fundamentals of information security. It begins by defining information security and outlining general goals of confidentiality, integrity, and availability. It then discusses developing a security policy as the first step, followed by a security standards document. Various tools for implementing information security are described, including firewalls, intrusion detection systems, encryption, and virtual private networks. The goals of information security strategies are prevention, detection, and recovery. A culture of security is important for all levels of an organization. In conclusion, information security requires an ongoing, complex process involving policy, standards, education, and technology to be implemented successfully.
this research was conducted to find out the level of
information security in organization to give recommendations
improvements in information security management at the
organization. This research uses the ISO 27002 by involving the
entire clause that exists in ISO 27002 check-lists. Based on the
analysis results, 13 objective controls and 43 security controls
were scattered in 3 clauses of ISO 27002. From the analysis it
was concluded that the maturity level of information system
security governance was 2.51, which means the level of security
is still at level 2 planned and tracked is planned and tracked
actively) but is approaching level 3 well defined.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
More Related Content
Similar to IMPLEMENTATION_OF_SECURITY_INFORMATION_EVENT_MANAG.pdf
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATIONacijjournal
AI-based security systems utilize big data and powerful machine learning algorithms to automate the security management task. The case study methodology is used to examine the effectiveness of AI-enabled security solutions. The result shows that compared with the signature-based system, AI-supported security applications are efficient, accurate, and reliable. This is because the systems are capable of reviewing and correlating large volumes of data to facilitate the detection and response to threats.
CYBERSECURITY INFRASTRUCTURE AND SECURITY AUTOMATIONacijjournal
AI-based security systems utilize big data and powerful machine learning algorithms to automate the security management task. The case study methodology is used to examine the effectiveness of AI-enabled security solutions. The result shows that compared with the signature-based system, AI-supported security applications are efficient, accurate, and reliable. This is because the systems are capable of reviewing and correlating large volumes of data to facilitate the detection and response to threats.
INTRUSION DETECTION SYSTEM USING CUSTOMIZED RULES FOR SNORTIJMIT JOURNAL
This document proposes an intrusion detection system using customized rules for the Snort tool to improve security. The system uses Wireshark to scan network traffic for anomalies, Snort to detect attacks using customized rulesets for faster response times, and Wazuh and Splunk to analyze log files. Rules are created using the Snorpy tool and added to Snort to monitor for specific attacks like ICMP ping impersonation and authentication attempts. When attacks are attempted, the system successfully detects them and logs the alerts. The integration of these tools provides low-cost intrusion detection capabilities with automated threat identification and faster response compared to existing Snort configurations.
WIRELESS SECURITY MEASUREMENT USING DATA VALUE INDEXIJNSA Journal
Nowadays, use of wireless technology in organizations is a regular act, and we can see this technology erupted in all possible different areas. Related to employing wireless technology those organizations need to apply properly security level, depend on security policy which already defined. If security system applied but not required, or security system required but not provided, leads to improper security system. In this paper we have shown the way to evaluate the data significant and their appropriate security level. Here a model to evaluate the cost of data on security point of view by consideration of some parameters like sensitivity, volume, life, frequency, etc…, this research makes organizations to predict and implement or understand the cost involved for security of their data by measuring the data value. We used questionnaire and survey methodologies to collect the data; and then used SPSS and SAS program to calculate and design a model. In this way regression and BOOTSTARP help us to find accurate result.
Attacks on the enterprise are getting increasingly sophisticated. Current solutions available do not seem to be adequate given the innovativeness, precision and persistence of these attacks in different forms and of different dimensions. Organisations thus want to increase the sophistication of their employees and also of the solutions to be deployed given this backdrop.
This document outlines a 5-step process for managing organizational ICT security:
1. Identify the organization's business objectives to ensure ICT resources support them.
2. Identify all ICT resources, including network infrastructure, servers, user devices, and hardware.
3. Identify and assess risks to ICT resources, such as theft, damage, and unauthorized access, and prioritize them based on likelihood and cost.
4. Develop activities to mitigate risks through a 7-layered approach involving policies, physical security, perimeter controls, internal access management, host protection, and application hardening.
5. Implement and monitor the security program with roles for the CIO, CISO, ICT
Navigating the complex Risk Management Framework (RMF) requirements can be daunting. Learn best practices and gain a better understanding of NIST's RMF.
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMS IJNSA Journal
Nowadays, corporations and a government agencies relay on computer-based information system to manage their information, this information may be classified, so it will be dangerous if it is disclosed by unauthorized persons. Therefore, there is urgent need for defense. In this research, defense has been categorized into four mechanisms technical defense, operation defense, management defense, and physical defense based on the logic of computer and network security. Also, each mechanism has been investigated and explained in the term of computer based information systems.
An Effective Cybersecurity Awareness Training Model: First Defense of an Orga...IRJET Journal
This document discusses the importance of cybersecurity awareness training for organizations and proposes an effective training model. It analyzes how artificial intelligence (AI) can enhance security awareness programs. Specifically, it examines the Technology Acceptance Model (TAM) and how AI-enabled tools like the viCyber system can help design training based on the National Initiative for Cybersecurity Education (NICE) framework. The study concludes that regular, comprehensive security awareness training is critical to address the human factors that can weaken an organization's cyber defenses. AI tools show promise in developing trainings but require further evaluation of their usability and reliability.
This document proposes a multi-agent architecture for incident reaction in information system security. The architecture has three layers - low level interacts directly with the infrastructure, intermediate level correlates alerts and deploys reaction actions using multi-agent systems, and high level provides supervision and manages business policies. The architecture was tested for data access control and aims to quickly and efficiently react to attacks while ensuring policy compliance. The document discusses requirements like scalability, autonomy, and global supervision. It also describes the key components of alert management, reaction decision making, and policy definition/deployment to implement the architecture using a multi-agent approach.
Multi agents based architecture for is security incident reactionchristophefeltus
This document proposes a multi-agent architecture for responding to security incidents in information systems. The architecture has three layers: a low level that interfaces with the targeted infrastructure, an intermediate level that correlates alerts and deploys response actions using multi-agent systems, and a high level that provides supervision and manages business policies. The architecture was designed based on requirements like scalability, availability, autonomy, and global supervision. It aims to quickly and efficiently respond to attacks while ensuring responses do not violate business policies. The document then discusses using a multi-agent system with JADE to represent nodes in the architecture and facilitate communication and coordination between components for selecting and deploying response policies.
chapter 3 ethics: computer and internet crimemuhammad awais
This document discusses security risk assessment for a group project. It lists the group members and outlines the 8 steps to perform a security risk assessment. These include identifying assets, threats, likelihood and impacts of threats, and mitigation options. It emphasizes the importance of a complete inventory and using qualified experts. The document also covers defining security policies, prevention methods like firewalls and antivirus software, detection using IDS, and response including documentation, containment and follow up reviews.
Include at least 250 words in your posting and at least 250 words inmaribethy2y
Include at least 250 words in your posting and at least 250 words in your reply. Indicate at least one source or reference in your original post. Please see syllabus for details on submission requirements.
Module 1 Discussion Question
Search "scholar.google.com" for a company, school, or person that has been the target of a network
or system intrusion? What information was targeted? Was the attack successful? If so, what changes
were made to ensure that this vulnerability was controlled? If not, what mechanisms were in-place to protect against the intrusion.
Reply-1(Shravan)
Introduction:
Interruption location frameworks (IDSs) are programming or equipment frameworks that robotize the way toward observing the occasions happening in a PC framework or system, examining them for indications of security issues. As system assaults have expanded in number and seriousness in the course of recent years, interruption recognition frameworks have turned into an essential expansion to the security foundation of generally associations. This direction archive is planned as a preliminary in interruption recognition, created for the individuals who need to comprehend what security objectives interruption location components serve, how to choose and design interruption discovery frameworks for their particular framework and system situations, how to deal with the yield of interruption identification frameworks, and how to incorporate interruption recognition capacities with whatever remains of the authoritative security foundation. References to other data sources are likewise accommodated the peruse who requires particular or more point by point guidance on particular interruption identification issues.
In the most recent years there has been an expanding enthusiasm for the security of process control and SCADA frameworks. Moreover, ongoing PC assaults, for example, the Stunt worm, host appeared there are gatherings with the inspiration and assets to viably assault control frameworks.
While past work has proposed new security components for control frameworks, few of them have investigated new and in a general sense distinctive research issues for anchoring control frameworks when contrasted with anchoring conventional data innovation (IT) frameworks. Specifically, the complexity of new malware assaulting control frameworks - malware including zero-days assaults, rootkits made for control frameworks, and programming marked by confided in declaration specialists - has demonstrated that it is exceptionally hard to avert and identify these assaults dependent on IT framework data.
In this paper we demonstrate how, by joining information of the physical framework under control, we can distinguish PC assaults that change the conduct of the focused on control framework. By utilizing information of the physical framework we can center around the last goal of the assault, and not on the specific instruments of how vulnerabilities are misused, and how ...
Exploring network security threats through text mining techniques: a comprehe...CSITiaesprime
In response to the escalating cybersecurity threats, this research focuses on leveraging text mining techniques to analyze network security data effectively. The study utilizes user-generated reports detailing attacks on server networks. Employing clustering algorithms, these reports are grouped based on threat levels. Additionally, a classification algorithm discerns whether network activities pose security risks. The research achieves a noteworthy 93% accuracy in text classification, showcasing the efficacy of these techniques. The novelty lies in classifying security threat report logs according to their threat levels. Prioritizing high-risk threats, this approach aids network management in strategic focus. By enabling swift identification and categorization of network security threats, this research equips organizations to take prompt, targeted actions, enhancing overall network security.
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMSIJNSA Journal
Nowadays, corporations and a government agencies relay on computer-based information system to
manage their information, this information may be classified, so it will be dangerous if it is disclosed by
unauthorized persons. Therefore, there is urgent need for defense. In this research, defense has been
categorized into four mechanisms technical defense, operation defense, management defense, and physical
defense based on the logic of computer and network security. Also, each mechanism has been investigated
and explained in the term of computer based information systems.
An Empirical Study on the Security Measurements of Websites of Jordanian Publ...CSCJournals
Most of the Jordanian universities’ inquiries systems, i.e. educational, financial, administrative, and research systems are accessible through their campus networks. As such, they are vulnerable to security breaches that may compromise confidential information and expose the universities to losses and other risks. At Jordanian universities, security is critical to the physical network, computer operating systems, and application programs and each area has its own set of security issues and risks. This paper presents a comparative study on the security systems at the Jordanian universities from the viewpoint of prevention and intrusion detection. Robustness testing techniques are used to assess the security and robustness of the universities’ online services. In this paper, the analysis concentrates on the distribution of vulnerability categories and identifies the mistakes that lead to a severe type of vulnerability. The distribution of vulnerabilities can be used to avoid security flaws and mistakes.
IOSR Journal of Electronics and Communication Engineering(IOSR-JECE) is an open access international journal that provides rapid publication (within a month) of articles in all areas of electronics and communication engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in electronics and communication engineering. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
This document discusses fundamentals of information security. It begins by defining information security and outlining general goals of confidentiality, integrity, and availability. It then discusses developing a security policy as the first step, followed by a security standards document. Various tools for implementing information security are described, including firewalls, intrusion detection systems, encryption, and virtual private networks. The goals of information security strategies are prevention, detection, and recovery. A culture of security is important for all levels of an organization. In conclusion, information security requires an ongoing, complex process involving policy, standards, education, and technology to be implemented successfully.
this research was conducted to find out the level of
information security in organization to give recommendations
improvements in information security management at the
organization. This research uses the ISO 27002 by involving the
entire clause that exists in ISO 27002 check-lists. Based on the
analysis results, 13 objective controls and 43 security controls
were scattered in 3 clauses of ISO 27002. From the analysis it
was concluded that the maturity level of information system
security governance was 2.51, which means the level of security
is still at level 2 planned and tracked is planned and tracked
actively) but is approaching level 3 well defined.
Similar to IMPLEMENTATION_OF_SECURITY_INFORMATION_EVENT_MANAG.pdf (20)
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3Data Hops
Free A4 downloadable and printable Cyber Security, Social Engineering Safety and security Training Posters . Promote security awareness in the home or workplace. Lock them Out From training providers datahops.com
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
1. Volume 4 Number 1 Januari-Juni 2024 PP 1-7 INTELMATICS ISSN 2775-8850 (Online)
*Corresponding author https://doi.org/10.25105/itm.v4i1.18529
E-mail addresss : farhan065001900038@std.trisakti.ac.id
1
Abstract— In an era of widespread information system usage
across various sectors, digital threats to organizations have
become increasingly significant. These threats have the potential
to disrupt operations and result in substantial financial losses. One
enduring threat is brute force attacks, which exploit human
tendencies to use easily remembered passwords. By utilizing The
Security Lifecycle Methodology, this research aims to identify an
efficient and cost-effective solution to enhance information system
security and continuously evaluate the implemented solution
rather than stop right after the policy or solution implementation.
The study proposes the utilization of the open-source Security
Information and Event Management (SIEM) platform, Wazuh.
When combined with the Active Response feature, this platform
not only detects security threats but also automatically takes
mitigating actions against detected attacks. Additionally, the
integration with the Telegram messaging application streamlines
the SIEM monitoring process, making it more practical and
efficient. After implementation, the testing phase confirms the
effectiveness of the implemented solution as the Wazuh SIEM is
able to detect 100% of brute force testing scenarios in multi-
protocol attacks with an average of 80,51 seconds time required to
detect brute force attacks with a 1-second interval between attack,
172,18 seconds for 10-seconds attack interval, and 434,58 seconds
for 30-seconds attack interval. The active response can mitigate
100% of the detected brute force attack with only 0,51 seconds
time required between detection and mitigation action taken. The
implemented telegram integration successfully sends all the
notifications on time to Telegram Chat by utilizing Telegram API.
Keywords: Information System, Cyber Attack, Security
Information & Event Management, Wazuh, Brute Force, Active
Response, Telegram API
I. INTRODUCTION
he use of information technology in businesses and
organizations initially raised doubts about its impact on
organizational productivity. Nicholas Carr's 2003 article, "IT
Doesn’t Matter," challenged the view that information
technology remained a differentiator and instead became a
commodity owned by many organizations[1]. In 2008, Erik
Brynjolfsson and Andrew McAfee's study, "Investing in the IT
That Makes a Competitive Difference," found that technology
sharpens distinctions between companies and highlighted the
.
need for effective management and collaboration for successful
technology implementation.[2]
Over time, information technology gained widespread use
across various business sectors and non-business organizations,
transforming daily life through gadgets, IoT adoption, Wi-Fi 6
technology, Enterprise Resource Planning systems, and
Learning Management Systems. Yet, this extensive use of
information technology correlates with a significant increase in
cyberattacks, with brute force and password guessing attacks
being a primary concern from 2021 to 2023.
The integration of SIEM Wazuh solution, utilization of
Active Response features, and integration with Telegram are
expected to contribute to the field of information security by
providing new insights into possible solution combinations that
can be implemented within organizations at affordable costs.
This research will also address the effectiveness of the
implemented system, thereby complementing data regarding
various approaches that can be adopted to anticipate brute force
attack incidents.
II. LITERATURE REVIEW
Before commencing this study, a substantial body of existing
research was identified, closely aligned with the current case.
This existing research serves as a vital point of reference for the
present study. The first study, titled 'Active Response Using
Host-Based Intrusion Detection System and Software-Defined
Networking'[4], implements the Open-Source Security
(OSSEC) with Floodlight as the SDN Controller, utilizing the
AHNSR design to evaluate system resource performance
IMPLEMENTATION OF SECURITY INFORMATION & EVENT
MANAGEMENT (SIEM) WAZUH WITH ACTIVE RESPONSE
AND TELEGRAM NOTIFICATION FOR MITIGATING
BRUTE FORCE ATTACKS ON THE GT-I2TI USAKTI
INFORMATION SYSTEM
Farhan Ibnu Farrel1*
, Is Mardianto2
, Adrian Sjamsul Qamar3
1
Information Systems Study Program, 23
Informatics Study Program, Faculty of Industrial
Technology, University of Trisakti
T
Fig. 1. Source of external network intrusion[3].
2. Imolementation of Security Information & Event Management (SIEM) Wazuh with Active Response and Telegram Notification for Mitigating Farrel Et Al
Brute Force Attacks on the GT-12TI USAKTI Information System
2
during intrusion tests.
The second study, 'Analysis of Security Information and
Event Management (SIEM) Implementation Based on Wazuh
in Windows and Linux Operating Systems,'[5] implements
Wazuh as the SIEM and integrates it with three components:
VirusTotal, Yara, and Suricata. The study then assesses the
effectiveness of Wazuh SIEM compared to SolarWinds SIEM
in detecting five different test scenarios.
The third study, titled 'Wazuh as Log Event Management and
Security Gap Detection on Servers from DoS Attacks,'[6]
integrates Wazuh SIEM with Suricata as a Network Intrusion
Detection System (NIDS) to detect Denial of Service (DoS)
attacks.
The researcher subsequently leveraged several of these
studies as references in various aspects of the research,
including understanding the methodologies employed by the
researchers in those studies and gaining insights into their
testing procedures.
III. RESEARCH METHODOLOGY
A. Research Methodology
In this research, the researcher adopted the Security Lifecycle
model as presented in Robert Pfau's version, as published by the
SANS Institute.[7] This model serves as a framework for
developing security systems based on the policies and standards
established within an organization. The cycle iterates to ensure
that security continually improves in accordance with the
organization's set policies and standards.
The Security Lifecycle consists of four key phases: Identify,
Assess, Protect, and Monitor.
1) Identify:
During this phase, data and information are gathered,
including the current state of the system to be secured, the
resources required to support security system implementation,
and other pertinent information needed to align the system with
established policies and standards.
2) Assess:
After acquiring data and information about the system to be
secured, a plan is devised to secure the system. This phase
involves outlining the necessities for securing the system, such
as hardware, software, regulations, and other supporting
elements.
3) Protect:
Once the implementation plan is prepared, and the required
resources are in place, the next step involves the actual
implementation of the security system. The implementation
process is documented step by step.
4) Monitor:
Once all phases have been executed, the system's enhanced
security requires testing to validate the effectiveness of the
security improvements. The testing results serve as a foundation
for future security enhancements. In addition to testing,
continuous monitoring of the security system's performance
and effectiveness is carried out.
In the context of the research conducted on GT-I2TI, the
researcher introduced a new policy involving the
implementation of a security information system that can detect
and mitigate security gaps in the face of brute force attacks on
the organization's information assets.
B. Research Phase
The research phases represent the steps delineated by the
researcher for executing the study, drawing from previously
established reference models. By organizing these research
phases, it is anticipated that the research outcomes will align
with expectations and fulfill the research objectives. The
following outlines the stages of this research:
1) System Observation
Initially, the researcher conducted an observation at GT-
I2TI Usakti to understand the devices and systems in use.
Information was also gathered from sources at GT-I2TI
Usakti regarding the security systems that had been
implemented.
2) Equipment Preparation
The researcher prepared the infrastructure provided by GT-
I2TI, along with data and simulated systems, in order to
create a simulated operational information system.
3) SIEM and Active Response Installation and Configuration
The researcher installed the Wazuh SIEM system and
configured rules to align with the protocols of the
information systems. This configuration allowed Wazuh
SIEM to detect and configure Active Response for attack
mitigation.
4) Integration with Telegram
Upon SIEM system operation, integration with the
Telegram API was established. This integration enabled
the forwarding of alerts from events detected by Wazuh
SIEM to Telegram Chat.
5) Testing Attack Simulations
During this phase, brute force attack simulations against
various protocols were executed according to predefined
testing scenarios.
6) Analysis of Test Results
The data obtained from the testing phase were analyzed to
determine the effectiveness of the implemented system in
detecting and mitigating brute force attack simulations.
7) Drawing Conclusions
Based on the analysis, the researcher drew conclusions
from the research findings to address the issues raised in
this study.
Fig. 2. Security Lifecycle Model.[7]
3. Volume 4 Number 1 Januari-Juni 2024 PP 1-7 INTELMATICS ISSN 2775-8850 (Online)
*Corresponding author https://doi.org/10.25105/itm.v4i1.18529
E-mail addresss : farhan065001900038@std.trisakti.ac.id
3
C. Implementation Scenario
The implementation process commences with an observation
of the running system, which is then replicated within the
simulation environment. This initial step is of paramount
importance as it ensures the accuracy of the research
alignment with the research subject's needs. The figure below
illustrates the system's topology in operation at GT-I2TI
Usakti
Building upon the functioning system within GT-I2TI Usakti,
the author has chosen to replicate the system and simulate a
real-world scenario. Below is the network topology that will be
employed in this research.
The research environment will be configured to match the
predetermined topology. This setup will encompass the
installation of information systems within the replicated
systems. Subsequently, the Wazuh SIEM will be installed, and
agents will be deployed on each information system. Rules will
then be modified to enable the detection of brute force attacks.
These modifications will involve altering custom rules provided
by Wazuh. Once the rules are customized to detect brute force
attacks on each protocol, the active response will be configured
in the global configuration of Wazuh to execute the 'firewall-
drop' command for Linux agents and 'netsh' for Windows
agents. This configuration will allow for the blocking of
detected attacker IP addresses engaged in brute force attacks on
information systems connected to Wazuh SIEM.
To enable the reading of log files from each information
system, the log file locations will be added to the Wazuh global
configuration. Additionally, the locations of log files from the
active response will be added to ensure that active responses are
recorded within Wazuh events.
Further, Telegram will be integrated with the Wazuh SIEM
by creating a new integration file and adding integration code
lines to the global configuration of Wazuh. This integration will
facilitate the transmission of alerts from Wazuh to a Telegram
chat.
The integration of Telegram with the Wazuh was achieved
by creating a new integration file and adding integration code
lines to the global configuration of Wazuh.
D. Testing Scenario
In conducting the testing phase, the researcher devised
multiple scenarios encompassing various protocols, intervals,
actors, and repetitions. The tool employed to facilitate brute
force attack testing was THC Hydra. For normal user
simulations, Hydra was executed alongside a custom bash script
to mimic genuine user services. Conversely, for threat actor
simulations, THC Hydra was leveraged as a potent cyber
weapon to execute brute force attacks on the information
system. The following table provides a list of scenarios to be
executed during the testing phase in this research:
Table 1. List of test scenarios
Protocol
- HTTP
- SSH
- HTTPS
- FTP
- IMAP
- RDP
Interval
- 1 seconds
- 10 seconds
- 30 seconds
Actor
- 0 normal user, 1 threat actor
- 3 normal user, 0 threat actor
- 2 normal user, 2 threat actor
- 3 normal user, 2 threat actor
Repetition
- Test #1
- Test #2
- Test #3
Fig. 3. Running system topology at GT-I2TI Usakti.
Fig. 4. Simulated system topology.
4. Imolementation of Security Information & Event Management (SIEM) Wazuh with Active Response and Telegram Notification for Mitigating Farrel Et Al
Brute Force Attacks on the GT-12TI USAKTI Information System
4
IV. RESULT AND DISCUSSION
A. Implementation
The implementation process of Wazuh as a SIEM involves
aligning it with the predetermined scenarios, engaging four
simulation information systems replicating six protocols used
by GT-I2TI Usakti. Installation of Wazuh Agents on these
systems and rule modifications to adapt to brute force attack
detection are performed. Once the SIEM system is set up, failed
login attempts are initiated on one of the information systems
to test its functionality.
Following this, the configuration of the Active Response
feature is performed to enable Wazuh to automatically mitigate
detected brute force attacks. Rule IDs for each modified brute
force detection rule serve as triggers for Active Response when
any of these rules are activated.
The integration of Telegram notifications with the Wazuh
SIEM system begins by creating a Telegram bot and generating
a new integration file. This is followed by the insertion of the
provided API code to enable the bot's functionality. Finally, a
test is conducted using one of the rules to verify the successful
delivery of notifications through the Telegram API integration.
B. Testing
In the testing phase, the researcher will employ THC Hydra
for conducting experiments involving both normal user and
threat actor scenarios. For the normal user, a custom Bash script
will be introduced to enable automatic and continuous
authentication processes. In contrast, for the threat actor, THC
Hydra will be utilized exclusively for conducting attacks with
customizations made to the interval settings in accordance with
the testing scenarios.
Table 2. List of THC Hydra commands used
HTTP
hydra -l admin -P pass.txt 10.xx.xx.111
http-post-form
"/login.php:username=^USER^&password=^
PASS^&IdUniversity=1&Login=Login:302"
-V -I -c [interval in second]
SSH
hydra -l root -P pass.txt
ssh://10.xx.xx.111 -V -I -c [interval
in second]
HTTPS
hydra -l admin -P pass.txt 10.xx.xx.112
https-post-form "/wordpress/wp-
login.php:log=^USER^&pwd=^PASS^&wp-
submit=Log+In&redirect_to=http%3A%2F%2
F10.xx.xx.112%2Fwordpress%2Fwp-
admin%2F&testcookie=1:password" -V -I -
c [interval in second]
FTP
hydra -l admin -P pass.txt
ftp://10.xx.xx.112 -V -I -c [interval
in second]
IMAP
hydra -l email -P pass.txt
imap://10.xx.xx.113 -V -I -c [interval
in second]
RDP
hydra -l Administrator -P pass.txt
rdp://10.xx.xx.114 -V -I -c [interval
in second]
Table 4. SSH protocol test result
Fig. 5. Event on Wazuh Dashboard after failed login test
Fig. 6. Active Response rule that will active if one of the rules_id triggered
Fig. 7. Telegram integration test
5. Volume 4 Number 1 Januari-Juni 2024 PP 1-7 INTELMATICS ISSN 2775-8850 (Online)
*Corresponding author https://doi.org/10.25105/itm.v4i1.18529
E-mail addresss : farhan065001900038@std.trisakti.ac.id
5
C. Testing Results
The results of the brute force attack detection, mitigation
using Active Response, and Telegram notifications are
presented in tabular form. Time to detect (TTD) reflects the
time SIEM Wazuh requires to identify an attack since its
initiation, measured in seconds, while time to respond (TTR)
measures the time for Active Response to mitigate indicators of
brute force attacks, also in seconds. The N indicator reveals the
capability to send notifications to Telegram Chat.
The results of the brute force attack testing on all information
system protocols reveal that in each attack scenario, the
configured rules within Wazuh detect every attack without any
undetected attempts. Furthermore, the Active Response system
successfully mitigates all attacks, ensuring none of them bypass
security measures. Although the time required for detection and
mitigation varies, these variations are not significant. In
scenario 3, where there are only normal users and no threat
actors, SIEM Wazuh distinguishes these attempts as non-brute
force attack indications. Consequently, no login attempts are
identified as brute force attacks in this scenario, and Active
Response remains inactive. Additionally, Telegram
notifications are consistently received for each experiment.
Based on the bar chart comparing the three scenarios with
each protocol, it is evident that the time required for detection
and response is nearly identical among most protocols.
However, in the case of the IMAP protocol, the time for
detection and response is similar for intervals of 1s and 10s.
Wazuh Detection Effectiveness
To draw conclusions from the research, particularly in the
section related to the detection of brute force attacks on the GT-
I2TI Usakti simulation system, the findings from all scenarios
Table 3. HTTP protocol test result
Table 5. HTTPS protocol test result
Table 6. FTP protocol test result
Table 7. IMAP protocol test result
Table 8. RDP protocol test result
Fig. 8. Comparison between protocol on
0 Normal User, 1 Threat Actor scenario
Fig. 9. Comparison between protocol on
2 Normal User, 2 Threat Actor scenario
Fig. 10. Comparison between protocol on
3 Normal User, 2 Threat Actor scenario
6. Imolementation of Security Information & Event Management (SIEM) Wazuh with Active Response and Telegram Notification for Mitigating Farrel Et Al
Brute Force Attacks on the GT-12TI USAKTI Information System
6
were combined, resulting in the following outcomes.
Table 9 Wazuh detection summary
ALL 3 SCENARIO
TTD 1s TTD 10s TTD 30s
MIN
28,33 (HTTP &
HTTPS)
146,00 (SSH) 403,67 (IMAP)
AVERAGE 80,51 173,18 434,58
MEDIAN 36,17 154,67 434,83
MAX 258,67 (IMAP) 265,00 (IMAP) 466,33 (IMAP)
Based on the final data analysis, where all scenarios and
protocols were combined and compared, it was observed that
the minimum time required to detect brute force attacks varied
across different protocol intervals. Notably, the HTTP and
HTTPS protocols exhibited the shortest detection time, while
the IMAP protocol required the longest time for detection. This
trend persisted consistently throughout the analysis,
highlighting the distinct authentication mechanisms inherent to
each protocol.
This indicates that the authentication mechanism between
these protocols is different as we didn't get the same result in
the final analysis. HTTP and HTTPS take the shortest time to
detect as they required less step to authenticate and only use
request-respond process while IMAP required more complex
authentication process. Each IMAP authentication session also
needs to establish TCP connection and that adds more overhead
time. This made IMAP are the longest time required to detect
for a brute force attack.
Although the factors influencing authentication time were
not the focus of this research, they present potential avenues for
further investigation. Despite this, our study confirms the
effectiveness of the implemented solution, achieving a 100%
detection accuracy across all six protocols tested for brute force
attacks.
D. Active Response Mitigation Effectiveness
To determine the Reaction Time, which is the time required
by Active Response to take action against the source IP
identified as conducting a brute force attack, the researcher
employed the following formula:
𝐴𝑐𝑡𝑖𝑣𝑒 𝑅𝑒𝑠𝑝𝑜𝑛𝑠𝑒 𝑅𝑒𝑎𝑐𝑡𝑖𝑜𝑛 𝑇𝑖𝑚𝑒
= (𝑡𝑖𝑚𝑒 𝑡𝑜 𝑟𝑒𝑠𝑝𝑜𝑛𝑠𝑒) − (𝑡𝑖𝑚𝑒 𝑡𝑜 𝑑𝑒𝑡𝑒𝑐𝑡)
Using this formula, the researcher calculated the reaction
time from the grouped data based on scenarios and consolidated
the results into the following table.
Subsequently, data regarding the minimum time, average
time, median time, and maximum time needed for Active
Response to initiate actions upon detecting brute force attack
indications by SIEM Wazuh was gathered and is presented in
the following table.
Table 11. Active Response mitigation summary
Active Response Reaction Time
(All Tests)
MIN 0,00
AVERAGE 0,51
MEDIAN 0,49
MAX 1,33
Based on the data presented in the table above, we reveal that
the average duration necessary for Active Response to initiate
a response upon detecting brute force attacks, facilitated by
Wazuh, amounted to 0.51 seconds. This average response time
underscores the system's efficiency in promptly addressing
security threats. Furthermore, examination of the tests data
unveiled that the shortest recorded response time was
instantaneous, registering at 0.00 seconds, indicative of
immediate action taken upon detection. Conversely, the
lengthiest response time recorded was 1.33 seconds, signifying
instances where response initiation encountered slight delays,
albeit within an acceptable timeframe.
V. CONCLUSION
Based on the research conducted regarding the
implementation and testing of SIEM Wazuh, the Active
Response feature, and its integration with Telegram, several
conclusions can be drawn as follows:
The implementation of the SIEM Wazuh system, inclusive of
the Active Response feature, was executed successfully,
adhering to the predefined implementation scenario and
simulation topology, mirroring the live system environment at
GT-I2TI Usakti. Furthermore, the integration with Telegram
proved successful in transmitting notifications to the designated
Telegram Chat.
SIEM Wazuh demonstrates remarkable efficacy in detecting
brute force attacks across diverse protocols, boasting a flawless
accuracy rate of 100%. Notably, the system exhibits varying
average detection times across intervals, with figures standing
at 80.51 seconds for 1-second intervals, 173.18 seconds for 10-
Table 10. Active Response reaction time
7. Volume 4 Number 1 Januari-Juni 2024 PP 1-7 INTELMATICS ISSN 2775-8850 (Online)
*Corresponding author https://doi.org/10.25105/itm.v4i1.18529
E-mail addresss : farhan065001900038@std.trisakti.ac.id
7
second intervals, and 434.58 seconds for 30-second intervals.
The Active Response functionality within SIEM Wazuh
emerges as a robust tool in thwarting identified brute force
attacks across multiple protocols. With impeccable accuracy, it
swiftly blocks attackers' IP addresses, with an average initiation
time of merely 0.51 seconds.
Moreover, SIEM Wazuh, coupled with the Active Response
feature, effectively discerns between normal user activities and
those of threat actors, achieving this feat without generating any
false positives during the experimental trials.
The Telegram notification mechanism operates seamlessly,
delivering timely updates regarding failed login attempts and
the activation of Active Response in response to detected brute
force attacks directly to the Telegram application. This ensures
swift and reliable communication of critical security events to
relevant stakeholders.
REFERENCES
[1] Bourgeois, David T.; Smith, James L.; Wang, Shouhong; and Mortati,
Joseph, "Information Systems for Business and Beyond" (2019). Open
Textbooks. 1.
[2] McAfee, A. & Brynjolfsson, “Investing in the IT that Makes a
Competitive Difference”. Harvard Business Review. 86. 98-107 (2008).
[3] ESET Threat Report H1 2023, ESET Research,2023,
https://www.welivesecurity.com/2023/07/11/eset-threat-report-h1-2023/.
Accessed July, 12 2023.
[4] Goodgion, Jonathon S., "Active Response Using Host-Based Intrusion
Detection System and Software-Defined Networking" (2017). Theses and
Dissertations. 1575.
[5] Radhitya, Dimas. “Analisis implementasi Security Information and Event
Management (SIEM) dengan berbasis wazuh pada sistem operasi
Windows dan Linux” (2022). Fakultas Teknik Universitas Indonesia.
[6] Nova, F., Pratama, M. D., & Prayama, D. (2022). Wazuh sebagai Log
Event Management dan Deteksi Celah Keamanan pada Server dari
Serangan Dos. JITSI: Jurnal Ilmiah Teknologi Sistem Informasi, 3(1), 1-
7.
[7] Pfau, Robert. The Security Lifecycle, SANS Institute, USA, 2003.
[8] N. Carr, “IT Doesn’t Matter,” Harvard Business Review, May 2003.
[Online]. Available: https://hbr.org/2003/05/it-doesnt-matter. [Accessed:
October 13, 2022].
[9] Center for Strategic & International Studies (CSIS), “Significant Cyber
Incidents Since 2006,” Center for Strategic & International Studies
(CSIS), 2019.
[10] Check Point Software Technologies Ltd, “CYBER ATTACK TRENDS
Check Point’s 2022 Mid-Year Report,” Check Point Software
Technologies Ltd, 2022.
[11] Dr. Madhu Tyagi, “SECURITY AGAINST CYBER-CRIME:
PREVENTION AND DETECT,” Horizon Books ( A Division of Ignited
Minds Edutech P Ltd), 2017
[12] R. Stair and G. Reynolds, Principles of information systems. Cengage
Learning, 2017.
[13] Committee on National Security Systems Instruction (CNSSI) No. 4009,
“National Information Assurance Glossary,” Committee on National
Security Systems (CNSS), Apr. 2010.
[14] Microsoft, “What is SIEM?,” Microsoft. [Online]. Available:
https://www.microsoft.com/en-us/security/business/security-101/what-
is-siem. [Accessed: Jan. 5, 2023].
[15] Wazuh, “Components – Getting started,” Wazuh. [Online]. Available:
https://documentation.wazuh.com/current/getting-
started/components/index.htm. [Accessed: Jan. 10, 2023].
Farhan Ibnu Farrel, born in Bukittinggi, February 23, 2001.
Student of Trisakti University, Faculty of Information System
Industrial Technology
(email: farhan065001900038@std.trisakti.ac.id)
Is Mardianto, completed bachelor at Institute Technology
Bandung, Master’s at University of Indonesia
(email: mardianto@trisakti.ac.id)
Adrian Sjamsul Qamar, completed bachelor at University of
Indonesia, master’s at the University of Indonesia.
(email: adrian.qamar@trisakti.ac.id)