Analyse: analysis methods (advanced)¶

The collected traces are analysed using different strategies, the aim of which is to distinguish “benign” events from those that indicate attacks. Misuse detection seeks to characterise malicious behavioural patterns appearing in traces and raises an alert when a set of malicious behavioural events is identified in the traces. Anomaly detection seeks to characterise “normal” behaviour and raises an alert when events in the traces do not correspond to it. A wide range of algorithms has been developed for both approaches. Some of these algorithms have been applied to both misuse detection and anomaly detection.

Analysis: from event to security incident

In the SOIM process (cf. figure on SOIM workflows), analysis is performed by sensors and on the SIEM platform. The figure above refines this process. The system under monitoring produces traces representing activity as log files or via dedicated IDPS devices or software (IDS/IPS hosts and log files in the SOIM technologies in the ICT infrastructure shown in this figure). One or more events within each trace may trigger an alert from an IDPS sensor. The SIEM aggregates these alerts into security incidents to be handled by operators.

Misuse detection: Misuse detection makes extensive use of information about malicious code and the vulnerabilities exploited by such code. Software vulnerabilities—particularly those catalogued under Common Vulnerabilities and Exposures (CVE)—are especially important, but misuse detection is broader in scope. An intrusion detection system focused on misuse searches traces for evidence of known malicious events and raises an alert when such evidence is found, while also informing the analyst about the characteristics of the exploited vulnerability and its impacts.
Anomaly detection: Anomaly detection is a fundamental tool for detecting cyber attacks, as knowledge of known attacks alone is insufficient. The principal advantage of anomaly detection is its independence from information about specific vulnerabilities. In theory, this enables the detection of zero-day attacks, provided that such attacks manifest as anomalies in the traces.
Machine learning: Anomaly detection and misuse detection can be combined using machine learning methods; in particular, supervised learning can be employed. Machine learning maps input to an output class via a characteristics vector. If a machine learning algorithm requires the definition of distinct classes to which inputs are mapped, then defining output classes (for example, normal and attack) in itself enables the integration of anomaly detection and misuse detection.