Ting-Fang Yen, Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterprise Networks
As more and more Internet-based attacks arise, organizations are respondingby deploying an assortment of security products that generate situationalintelligence in the form of logs. These logs often contain high volumes ofinteresting and useful information about activities in the network, and areamong the first data sources that information security specialists consultwhen they suspect that an attack has taken place. However, security productsoften come from a patchwork of vendors, and are inconsistently installed andadministered. They generate logs whose formats differ widely and that areoften incomplete, mutually contradictory, and very large in volume. Hence,although this collected information is useful, it is often dirty.We present a novel system, Beehive, that attacks the problem ofautomatically mining and extracting knowledge from the dirty log dataproduced by a wide variety of security products in a large enterprise. Weimprove on signature-based approaches to detecting security incidents andinstead identify suspicious host behaviors that Beehive reports as potentialsecurity incidents. These incidents can then be further analyzed by incidentresponse teams to determine whether a policy violation or attack hasoccurred. We have evaluated Beehive on the log data collected in a largeenterprise, EMC, over a period of two weeks. We compare the incidentsidentified by Beehive against enterprise Security Operations Centerreports, antivirus software alerts, and feedback from enterprise securityspecialists. We show that Beehive is able to identify malicious events andpolicy violations which would otherwise go undetected. About the speaker: Ting-Fang Yen is a research scientist at RSA Laboratories, the security division of EMC. Ting-Fang's research interests include network security and data analysis for security applications. Ting-Fang received a B.S. degree in Computer Science and Information Engineering from National Chiao Tung University, Taiwan, and M.S. and Ph.D. degrees in Electrical and Computer Engineering from Carnegie Mellon University.
Create your
podcast in
minutes
It is Free