A SURVEY OF NETWORK SERVICE LOG PROCESSING PLATFORMS AND TECHNIQUES FOR THE DETECTION OF INFORMATION INSECURITY RISKS
Keywords:Anomaly detection, Intrusion detection, Security information and event management.
AbstractIn the layers of information security measures, the monitoring and detection measures of anomalous activities and information insecurity risks are considered the second defense layer behind firewalls and access controls. This defense layer includes intrusion detection and prevention systems for hosts and networks. This paper examines platforms, tools and techniques for processing and analyzing access logs of network service servers for the detection of anomalous activities and information insecurity risks. Based on the survey results, the paper proposes the architecture of the monitoring and information security insurance system for small and medium-sized networks of organizations with limited resources.
Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N. I. I., & Dagon, D. (2011). Detecting malware domains at the upper DNS hierarchy. Retrieved from http://astrolavos.gatech.edu/articles/kopis.pdf.
Bilge, L., Kirda, E., Kruegel, C., & Balduzzi, M. (2011). EXPOSURE: Finding malicious domains using passive DNS analysis. Paper presented at The Network and Distributed System Security Symposium, USA.
Cho, S., & Cha, S. (2004). SAD: Web session anomaly detection based on parameter estimation. Journal of Computers & Security, 23(4), 312-319.
Cục An toàn Thông tin. (2016). Báo cáo An toàn thông tin Việt Nam 2016. Hà Nội, Việt Nam: Cục An toàn Thông tin.
Faradzhullaev, R. (2008). Analysis of Web server log files and attack detection. Journal of Automatic Control and Computer Sciences, 42(1), 50-54.
Graylog. (2017). Enterprise log management for all. Retrieved from https://www.graylog.org.
IBM QRadar. (2017). How QRadar SIEM can help your business. Retrieved from https://www.ibm.com/ms-en/marketplace/ibm-qradar-siem.
Jiang, N., Cao, J., Jin, Y., Li, L., & Zhang, Z. L. (2010). Identifying suspicious activities through DNS failure graph analysis. Paper presented at The IEEE International Conference on Network Protocols (ICNP), Japan.
Kheir, N., Tran, F., Caron, P., & Deschamps, N. (2014). Mentor: Positive DNS reputation to skim-off benign domains in botnet C&C blacklists. Paper presented at The ICT Systems Security and Privacy Protection Conference, Morocco.
Kruegel, C., & Giovanni, V. (2003). Anomaly detection of Web-based attacks. Paper presented at The ACM Conference on Computer and Communications Security, USA.
LOGalyze. (2017). Free unlimited log management tool for everyone. Retrieved from http://www.logalyze.com.
Logstash. (2017). Centralize, transform, & stash your data. Retrieved from http://logstash.net.
Ma, X., Zhang, J., Li, Z., Li, J., Tao, J., Guan, X., Lui, J. C., & Towsley, D. (2015). Accurate DNS query characteristics estimation via active probing. Journal of Network Computing Applications, 47, 72-84.
Meyer, R. (2008). Detecting attacks on Web applications from log files. Retrieved from https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-applications-log-files-2074.
Moh, M., Pininti, S., Doddapaneni, S., & Moh, T. S. (2016). Detecting Web attacks using multi-stage log analysis. Paper presented at The International Conference on Advanced Computing (IACC), India.
Perdisci, R., Corona, I., Dagon, D., & Lee, W. (2009). Detecting malicious flux service networks through passive analysis of recursive DNS traces. Paper presented at The Annual Computer Security Applications Conference (ACSAC), USA.
Ramachandran, A., Feamster, N., & Dagon, D. (2006). Revealing botnet membership using DNSBL counter-intelligence. Retrieved from https://www.usenix.org/legacy/event/sruti06/tech/full_papers/ramachandran/ramachandran_html/index.html.
Salama, S. E., Marie, M. I., El-fangary, L. M., & Helmy, Y. K. (2011). Web server logs preprocessing for Web intrusion detection. Journal of Computer and Information Science, 4(4), 123-133.
Snort. (2017). Snort IDS. Retrieved from http://www.snort.org.
Splunk. (2017). Hyatt innovates and ensures seamless customer experience with Splunk. Retrieved from http://www.splunk.com.
Stalmans, E., & Irwin, B. (2011). A framework for DNS based detection and mitigation of malware infections on a network. Paper presented at The Information Security South Africa (ISSA), South Africa.
Sumo Logic. (2017). Delight your customers with modern analytics. Retrieved from http://www.sumologic.com.
Villamari, S. R., & Brustoloni, J. C. (2008). Identifying botnets using anomaly detection techniques applied to DNS traffic. Paper presented at The Consumer Communications and Networking Conference (CCNC), USA.
VNCS. (2017). Giải pháp giám sát Website tập trung. Retrieved from http://vncs.vn/portfolio/giai-phap-giam-sat-websites-tap-trung.
Webalizer. (2017). The Webalizer. Retrieved from http://www.webalizer.org.
Yadav, S., Reddy, A. K. K., Reddy, A., & Ranjan, S. (2010). Detecting algorithmically generated malicious domain names. Paper presented at The ACM SIGCOMM Conference on Internet Measurement, Australia.
Yen, T. F., Oprea, A., Onarlioglu, K., Leetham, T., Robertson, W., Juels, A., & Kirda, E. (2013). Beehive: Large-scale log analysis detecting suspicious activity in enterprise networks. Paper presented at The Annual Computer Security Applications Conference, USA.
Volume and Issues
Copyright & License
Copyright (c) 2018 Phạm Duy Lộc, Hoàng Xuân Dậu
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.