This paper proposes an innovative framework for the early detection of several cyber attacks, where the main component is an analytics core that gathers streams of raw data generated by network probes, builds several layer models representing different activities of internal hosts, analyzes intra-layer and inter-layer information. The online analysis of internal network activities at different levels distinguishes our approach with respect to most detection tools and algorithms focusing on separate network levels or interactions between internal and external hosts. Moreover, the integrated multi-layer analysis carried out through parallel processing reduces false positives and guarantees scalability with respect to the size of the network and the number of layers. As a further contribution, the proposed framework executes autonomous triage by assigning a risk score to each internal host. This key feature allows security experts to focus their attention on the few hosts with higher scores rather than wasting time on thousands of daily alerts and false alarms.
Scalable architecture for online prioritization of cyber threats / Pierazzi, Fabio; Apruzzese, Giovanni; Colajanni, Michele; Guido, Alessandro; Marchetti, Mirco. - 2017-:(2017), pp. 1-18. (Intervento presentato al convegno 9th International Conference on Cyber Conflict: Defending the Core, CyCon 2017 tenutosi a Tallin, Estonia nel June 2017) [10.23919/CYCON.2017.8240337].
Scalable architecture for online prioritization of cyber threats
Fabio, Pierazzi;Giovanni, Apruzzese;Michele, Colajanni;Alessandro, Guido;Mirco, Marchetti
2017
Abstract
This paper proposes an innovative framework for the early detection of several cyber attacks, where the main component is an analytics core that gathers streams of raw data generated by network probes, builds several layer models representing different activities of internal hosts, analyzes intra-layer and inter-layer information. The online analysis of internal network activities at different levels distinguishes our approach with respect to most detection tools and algorithms focusing on separate network levels or interactions between internal and external hosts. Moreover, the integrated multi-layer analysis carried out through parallel processing reduces false positives and guarantees scalability with respect to the size of the network and the number of layers. As a further contribution, the proposed framework executes autonomous triage by assigning a risk score to each internal host. This key feature allows security experts to focus their attention on the few hosts with higher scores rather than wasting time on thousands of daily alerts and false alarms.
| File | Dimensione | Formato | |
|---|---|---|---|
|
cycon17_review_v16.pdf
Open access
Descrizione: Articolo principale
Tipologia:
Versione dell'autore revisionata e accettata per la pubblicazione
Dimensione
1.13 MB
Formato
Adobe PDF
|
1.13 MB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I metadati presenti in IRIS UNIMORE sono rilasciati con licenza Creative Commons CC0 1.0 Universal, mentre i file delle pubblicazioni sono rilasciati con licenza Attribuzione 4.0 Internazionale (CC BY 4.0), salvo diversa indicazione.
In caso di violazione di copyright, contattare Supporto Iris
