skip to main content
10.1145/3396743.3396787acmotherconferencesArticle/Chapter ViewAbstractPublication PagesmsieConference Proceedingsconference-collections
research-article

Automated Monitoring and Behavior Analysis for Proactive Security Operations

Published: 29 May 2020 Publication History

Abstract

This research presents a method for discovery of malware trapped in Honeypot bait. The focus is the network intrusion on the Unix or Linux operating system. A process flow is introduced to facilitate collecting, analyzing, and classifying cyberattack patterns. Log management and analytics are performed with the Elastic Stack or formerly known as ELK. The data logs (cowire.log) are periodically collected from Honeypot, then they will be filtered, formatted, and inspected through the execution of shell scripts. To detect suspicious commands, a set of rules containing groups of commands is defined. These commands seem to cause the organization's assets vulnerable or harmful. If a command is found matching the command risk group, the system will analyze for its attack pattern by querying VirusTotal database. VirusTotal is a free Sandboxing service for analyzing suspicious files or URLs online. The API will return analysis reports all the antivirus application engines that have previously scanned the suspicious file or URL. The experimental result in this work reported 86% of URLs or files that belong to the command risk groups are considered as threats. The analytic results would contribute to the organization's security policies and proactive security operations development afterwards.

References

[1]
Babu, J.B., Prasad, S., and Prasad, G.S. 2019. Detecting and Analyzing the Malicious Linux Events using Filebeat and ELK Stack. Int. J. Engineering and Advanced Technology (Apr 2019), 1845--1849.
[2]
Praneeth, J. N. and Sreedevi, M. 2019. Detecting and Analyzing the Malicious Windows Events using Winlogbeat and ELK Stack. Int. J. Recent Technology and Engineering (Apr 2019), 156--160.
[3]
Harikanth, M. and Rajarajeswari, P. 2019. Malicious Event Detection Using ELK Stack Through Cyber Threat Intelligence. Int. J. Innovative Technology and Exploring Engineering (May 2019), 882--886.
[4]
Mohannadi, H., Awan, I., and Al Hamar, J. 2018. Cyber Threat Intelligence from Honeypot Data using Elastic search. In Proceedings of 32nd IEEE International Conference on Advanced Information Networking and Applications (Krakow; Poland, May 16--18, 2018)
[5]
Al-Mahbashi, I.Y.M., Potdar, M.B., and Chauhan, P. 2017. Network Security Enhancement through Effective Log Analysis using ELK. In Proceedings of IEEE 2017 International Conference on Computing Methodologies and Communication (India, July 18--19, 2017)
[6]
Prakash, T., Kakkar, M., and Patel K. 2016. Geo-Identification of Web Users through logs using ELK stack. In Proceedings of 6th International Conference - Cloud System and Big Data Engineering, Confluence (Noida, India, January 14--15, 2016)
[7]
Hong, J., & Hua, Y. 2018. Research on Network Defense Strategy Based on Honey Pot Technology. In: IOP Conference Series: Materials Science and Engineering (March 2018), p. 052033.
[8]
R. Masri and M. Aldwairi. 2017. Automated malicious advertisement detection using virustotal, urlvoid, and trendmicro. In Proceedings of 8th International Conference on Information and Communication Systems (April 2017), 336--341.
[9]
VirusTotal. 2020. Public API version 2.0. https://developers.virustotal.com/reference#public-vs-private-api.
[10]
McAfee. 2019. FAQs for V2 DAT files. https://kc.mcafee.com/corporate/index?page=content&id=KB55986&_ga=2.74906322.1974068936.1579082838-1456127139.1574963289.

Cited By

View all
  • (2022)Feature Extraction Pipeline and Analysis of Suspicious Events in Large-Scale LANs for Cyberattack CategorizationProceedings of the 4th International Conference on Big Data Engineering10.1145/3538950.3538964(104-112)Online publication date: 26-May-2022
  • (2022)A Comparative Analysis of VirusTotal and Desktop Antivirus Detection Capabilities2022 13th International Conference on Information, Intelligence, Systems & Applications (IISA)10.1109/IISA56318.2022.9904382(1-6)Online publication date: 18-Jul-2022

Index Terms

  1. Automated Monitoring and Behavior Analysis for Proactive Security Operations

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    MSIE '20: Proceedings of the 2020 2nd International Conference on Management Science and Industrial Engineering
    April 2020
    341 pages
    ISBN:9781450377065
    DOI:10.1145/3396743
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    In-Cooperation

    • College of Technology Management, National Tsing Hua University, Taiwan

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 29 May 2020

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Elastic stack
    2. Honeypot
    3. Log analysis
    4. Network threat detection
    5. Proactive security operation

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Conference

    MSIE 2020

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)12
    • Downloads (Last 6 weeks)2
    Reflects downloads up to 16 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2022)Feature Extraction Pipeline and Analysis of Suspicious Events in Large-Scale LANs for Cyberattack CategorizationProceedings of the 4th International Conference on Big Data Engineering10.1145/3538950.3538964(104-112)Online publication date: 26-May-2022
    • (2022)A Comparative Analysis of VirusTotal and Desktop Antivirus Detection Capabilities2022 13th International Conference on Information, Intelligence, Systems & Applications (IISA)10.1109/IISA56318.2022.9904382(1-6)Online publication date: 18-Jul-2022

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media