1.
Majd, M., Najafi, P., Alhosseini, S.A., Cheng, F., Meinel, C.: A Comprehensive Review of Anomaly Detection in Web Logs. Proceedings of the 9th IEEE/ACM International Conference on Big Data Computing, Applications and Technologies (BDCAT’22). IEEE Press, Vancouver, Washington, USA (2022).
Anomaly detection is a significant problem that has been researched within diverse research areas and application domains, especially in the area of web-based internet services or cybersecurity. Many anomaly detection techniques have been developed for specific application domains, while others are more generic. The Log files of Web-server give insight into the state of web-server and applications running on it and enable the detection of abnormal incidents or behavior. This paper focuses on particularly web-server HTTP logs to the problems of Web-server Log Anomaly Detection (WLAD) due to their own nature and features and aims to provide a brief review of different Data-driven techniques to get to the bottom of recent studies and developments made in the context of WLAD. Moreover, in this paper, the literature related to webserver logs analysis, as well as other closely related to the WLAD topic, are taken into consideration for review. We have classified existing techniques into different categories based on the underlying approach adopted. When applying a particular technique, these assumptions can be used as guidelines to assess the method's effectiveness in this area. We also provide a basic security anomaly detection approach for each category and compare the existing methods as variants of the basic technique. Further, we identify the cons and pros of the current practices for each category. We also discuss the computational complexity of the methods, which is an essential issue in the domain of Big Data.
2.
Najafi, P., Koehler, D., Cheng, F., Meinel, C.: NLP-based Entity Behavior Analytics for Malware Detection. 2021 IEEE International Performance, Computing, and Communications Conference (IPCCC). pp. 1–5. IEEE (2021).
In this research, we formulate malware detection as a large-scale data-mining problem within Security Information and Event Management (SIEM) systems. We hypothesize that behavioral analysis of executable/process activities, such as file reads/writes, process creations, network connections, or registry modifications, enables the detection of advanced stealthy malware. To achieve this detection, we model processes behaviors as a set of directed acyclic graph streams and identify outliers in the set of graph streams. We enable this detection by conversion of the behavioral graph streams into documents, embedding using state-of-the-art Natural Language Processing model, and eventually performing novel outlier detection on the high dimensional vector representation of the documents. We evaluate our approach in a real-world setting, next to the SIEM system of a large-scale international enterprise (over 3TB of EDR logs). The proposed method has shown the capability to detect previously unknown threats
3.
Klieme, E., Trenz, P., Paeschke, D., Tietz, C., Meinel, C.: DoorCollect: Towards a Smart Door Handle for User Identification based on a Data Collection System for unsupervised Long-Term Experiments. 2021 IEEE Symposium on Computers and Communications (ISCC). pp. 1–7 (2021).
4.
Koehler, D., Serth, S., Meinel, C.: Consuming Security: Evaluating Podcasts to Promote Online Learning Integrated with Everyday Life. Proceedings of the World Engineering Education Forum (2021).
Traditional (online) teaching approaches put the student into a video-based, classroom-like situation. When asked to reproduce the content, the student can consciously remember what he learned and answer accordingly. Contrasting, knowledge of IT-security aspects requires sensitization for the topic throughout the daily life of a learner. We learned from interactions with former learners that they sometimes found themselves in situations where they --- despite knowing better --- still behaved in an undesired way. We thereby conclude that the classroom-based presentation of knowledge in Massive Open Online Courses (MOOCs) is not sufficient for the field of IT-Security Education. Therefore, this work presents an approach to a study to assess and analyze different audio-based methods of conveying knowledge, which can integrate into a learner's everyday life. In the spirit of Open Research, we therefore publish our research questions and chosen methods in order to discuss these within the community. Following, we will study the perception of the proposed education methods by learners and suggest possible improvements for subsequent research.
5.
Schmidt, K., Mühle, A., Grüner, A., Meinel, C.: Clear the Fog: Towards a Taxonomy of Self-Sovereign Identity Ecosystem Members. 18th Annual International Conference on Privacy, Security and Trust (PST). , Auckland, New Zealand (2021).
6.
Mühle, A., Grüner, A., Meinel, C.: Gotta Catch’em All! Improving P2P Network Crawling Strategies. 12th International Conference on Digital Forensics and Cybercrime. , Singpore, Singapore (2021).
Network crawling has been utilised to analyse peer- to-peer systems by academics and industry alike. However, accu- rately capturing snapshots is highly dependant on the crawlers’ speed as the network can be described as a moving target. In this paper, we present improvements based on the example of a newly developed Bitcoin crawler that can be utilised to reduce resource usage/requirements of crawlers and therefore speed up capturing network snapshots. To evaluate the new strategies, we compare our solution, in terms of increased scan rate and increased hit rate during crawling, to a popular open- source Bitcoin monitor. Blocking time is reduced on average to 1.52s, resulting in 94.7% higher scan rates, while time needed to capture a network snapshot is reduced on average by 9% due to increased hit rates during network crawling. While we show our improvements at the example of a new Bitcoin crawler, proven concepts can be transferred to other P2P networks as well.
7.
Najafi, P., Cheng, F., Meinel, C.: SIEMA: Bringing Advanced Analytics to LegacySecurity Information and Event Management. International Conference on Security and Privacy in Communication Networks. Springer (2021).
Within today's organizations, a Security Information and Event Management (SIEM) system is the centralized repository expected to aggregate all security-relevant data. While the primary purpose of SIEM solutions has been regulatory compliance, more and more organizations recognize the value of these systems for threat detection due to their holistic view of the entire enterprise. Today's mature Security Operation Centers dedicate several teams to threat hunting, pattern/correlation rule creation, and alert monitoring. However, traditional SIEM systems lack the capability for advanced analytics as they were designed for different purposes using technologies that are now more than a decade old. n this paper, we discuss the requirements for a next-generation SIEM system that emphasizes analytical capabilities to allow advanced data science and engineering. Next, we propose a reference architecture that can be used to design such systems. We describe our experience in implementing a next-gen SIEM with advanced analytical capabilities, both in academia and industry. Lastly, we illustrate the importance of advanced analytics within today's SIEM with a simple yet complex use case of beaconing detection.
8.
Ehrmann, L., Stolle, M., Klieme, E., Tietz, C., Meinel, C.: Detecting Interaction Activities While Walking Using Smartphone Sensors. In: Barolli, L., Woungang, I., and Enokido, T. (eds.) Advanced Information Networking and Applications. pp. 382–393. Springer (2021).
9.
Mühle, A., Grüner, A., Meinel, C.: Characterising Proxy Usage in the Bitcoin Peer-to-Peer Network. 22nd International Conference on Distributed Computing and Networking (2021).
10.
Koehler, D., Klieme, E., Kreuseler, D., Cheng, F., Meinel, C.: Assessment of Remote Biometric Authentication Systems: Another Take on the Quest to Replace Passwords. Proceedings of 2021 IEEE 5th International Conference on Cryptography, Security and Privacy (CSP 2021). IEEE (2021).
11.
Tietz, C., Klieme, E., Brabender, R., Lasarow, T., Rambold, L., Meinel, C.: Under Pressure: Pushing Down on Me - Touch Sensitive Door Handle to Identify Users at Room Entry. In: Samarati, P., di Vimercati, S.D.C., Obaidat, M.S., and Ben-Othman, J. (eds.) Proceedings of the 17th International Joint Conference on e-Business and Telecommunications, ICETE 2020 - Volume 2: SECRYPT, Lieusaint, Paris, France, July 8-10, 2020. pp. 565–571. ScitePress (2020).
12.
Klieme, E., Wilke, J., van Dornick, N., Meinel, C.: FIDOnuous: A FIDO2/WebAuthn Extension to Support Continuous Web Authentication. 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). pp. 1857–1867 (2020).
13.
Tietz, C., Klieme, E., Behrendt, L., Böning, P., Marschke, L., Meinel, C.: Verification of Keyboard Acoustics Authentication on Laptops and Smartphones Using WebRTC. 2019 3rd Cyber Security in Networking Conference (CSNet). pp. 130–137 (2019).
14.
Najafi, P., Mühle, A., Pünter, W., Cheng, F., Meinel, C.: MalRank: A Measure of Maliciousness in SIEM-based Knowledge Graphs. Proceedings of the 35th Annual Computer Security Applications Conference. pp. 417–429. ACM (2019).
In this paper, we formulate threat detection in SIEM environments as a large-scale graph inference problem. We introduce a SIEM- based knowledge graph which models global associations among entities observed in proxy and DNS logs, enriched with related open-source intelligence (OSINT) and cyber threat intelligence (CTI). Next, we propose MalRank, a graph-based inference algorithm designed to infer a node maliciousness score based on its associations to other entities presented in the knowledge graph, e.g., shared IP ranges or name servers. After a series of experiments on real-world data captured from a global enterprise’s SIEM (spanning over 3TB of disk space), we show that MalRank maintains a high detection rate (AUC = 96%) outperforming its predecessor, Belief Propagation, both in terms of accuracy and efficiency. Furthermore, we show that this approach is effective in identifying previously unknown malicious entities such as malicious domain names and IP addresses. The system proposed in this research can be implemented in conjunction with an organization’s SIEM, providing a maliciousness score for all observed entities, hence aiding SOC investigations.
15.
Mühle, A., Grüner, A., Gayvoronskaya, T., Meinel, C.: A survey on essential components of a self-sovereign identity. Computer Science Review. 30, 80–86 (2018).
This paper provides an overview of the Self-Sovereign Identity (SSI) concept, focusing on four different components that we identified as essential to the architecture. Self-Sovereign Identity is enabled by the new development of blockchain technology. Through the trustless, decentralised database that is provided by a blockchain, classic Identity Management registration processes can be replaced. We start off by giving a simple overview of blockchain based SSI, introducing an architecture overview as well as relevant actors in such a system. We further distinguish two major approaches, namely the Identifier Registry Model and its extension the Claim Registry Model. Subsequently we discuss identifiers in such a system, presenting past research in the area and current approaches in SSI in the context of Zooko’s Triangle. As the user of an SSI has to be linked with his digital identifier we also discuss authentication solutions. Most central to the concept of an SSI are the verifiable claims that are presented to relying parties. Resources in the field are only loosely connected. We will provide a more coherent view of verifiable claims in regards to blockchain based SSI and clarify differences in the used terminology. Storage solutions for the verifiable claims, both on- and off-chain, are presented with their advantages and disadvantages.
16.
Klieme, E., Tietz, C., Meinel, C.: Beware of SMOMBIES: Verification of Users Based on Activities While Walking. 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). pp. 651–660 (2018).
17.
Najafi, P., Sapegin, A., Cheng, F., Meinel, C.: Guilt-by-Association: Detecting Malicious Entities via Graph Mining. International Conference on Security and Privacy in Communication Systems. pp. 88–107. Springer (2017).
In this paper, we tackle the problem of detecting malicious domains and IP addresses using graph inference. In this regard, we mine proxy and DNS logs to construct an undirected graph in which vertices represent domain and IP address nodes, and the edges represent relationships describing an association between those nodes. More specifically, we investigate three main relationships: subdomainOf, referredTo, andresolvedTo. We show that by providing minimal ground truth information, it is possible to estimate the marginal probability of a domain or IP node being malicious based on its association with other malicious nodes. This is achieved by adopting belief propagation, i.e., an efficient and popular inference algorithm used in probabilistic graphical models. We have implemented our system in Apache Spark and evaluated using one day of proxy and DNS logs collected from a global enterprise spanning over 2 terabytes of disk space. In this regard, we show that our approach is not only efficient but also capable of achieving high detection rate (96% TPR) with reasonably low false positive rates (8% FPR). Furthermore, it is also capable of fixing errors in the ground truth as well as identifying previously unknown malicious domains and IP addresses. Our proposal can be adopted by enterprises to increase both the quality and the quantity of their threat intelligence and blacklists using only proxy and DNS logs.
18.
Klieme, E., Engelbrecht, K.-P., Möller, S.: Poster: Towards Continuous Authentication Based on Mobile Messaging App Usage. Symposium on Usable Privacy and Security. (2014).
