The growing sophistication of cyberthreats,among others the Distributed Denial of Service attacks,has exposed limitations in traditional rule-based Security Information and Event Management systems.While machine learn...The growing sophistication of cyberthreats,among others the Distributed Denial of Service attacks,has exposed limitations in traditional rule-based Security Information and Event Management systems.While machine learning–based intrusion detection systems can capture complex network behaviours,their“black-box”nature often limits trust and actionable insight for security operators.This study introduces a novel approach that integrates Explainable Artificial Intelligence—xAI—with the Random Forest classifier to derive human-interpretable rules,thereby enhancing the detection of Distributed Denial of Service(DDoS)attacks.The proposed framework combines traditional static rule formulation with advanced xAI techniques—SHapley Additive exPlanations and Scoped Rules-to extract decision criteria from a fully trained model.The methodology was validated on two benchmark datasets,CICIDS2017 and WUSTL-IIOT-2021.Extracted rules were evaluated against conventional Security Information and Event Management Systems rules with metrics such as precision,recall,accuracy,balanced accuracy,and Matthews Correlation Coefficient.Experimental results demonstrate that xAI-derived rules consistently outperform traditional static rules.Notably,the most refined xAI-generated rule achieved near-perfect performance with significantly improved detection of DDoS traffic while maintaining high accuracy in classifying benign traffic across both datasets.展开更多
On 12 December 2024,the China-Cambodia Friendship Carnival under the Action Plan on Silk Road People-to-People Connectivity co-hosted by China Foundation for Peace and Development(CFPD)and the Youth House for Cambodia...On 12 December 2024,the China-Cambodia Friendship Carnival under the Action Plan on Silk Road People-to-People Connectivity co-hosted by China Foundation for Peace and Development(CFPD)and the Youth House for Cambodia-China Friendship(YHCCF)kicked off in Siem Reap.展开更多
随着中石油集团对智能钻井业务的重视和开展程度不断提高,钻井企业每天产生大量数据。这些数据不仅包含丰富的钻井相关知识,还涉及许多关乎国家和企业利益的战略或商业机密。因此,在数据爆炸和人工智能普及的新时代,对网络与数据安全的...随着中石油集团对智能钻井业务的重视和开展程度不断提高,钻井企业每天产生大量数据。这些数据不仅包含丰富的钻井相关知识,还涉及许多关乎国家和企业利益的战略或商业机密。因此,在数据爆炸和人工智能普及的新时代,对网络与数据安全的要求也日益提高。钻井企业天然具有布局分散、跨越地理区域广泛的特点,相比其他企业,构建安全壁垒的难度更大,需要更多的安全手段。文章提出了一种安全信息事件管理(SIEM,Security Information and Event Management)系统的实现方案。该系统在现有网络安全措施基础上,利用数据融合和机器学习算法扩展出新的系统,可以显著提高网络管理人员的工作效率,更及时准确地发现和处理潜在威胁,有效地加强了企业现有的安全屏障。展开更多
This paper describes the process of the implementation of SIEM (security information and event management) systems in IT environment and the impact of human factors on that process. In the introductory part of the p...This paper describes the process of the implementation of SIEM (security information and event management) systems in IT environment and the impact of human factors on that process. In the introductory part of the paper are listed security systems which are most often used in corporate environments, the key functionalities of SIEM systems and its importance in overall security of the IT environment. Then, the recommendations are listed for the successful implementation of SIEM systems, which goal is a higher level of corporate network environment security. It is further presented optimization of implementation of the SIEM systems through all stages. Further, the influence of the human factor is described in the implementation of these systems as well as the impact of human perceptions in correlations to the detection of attacks.展开更多
The need for SIEM (Security Information and even Management) systems increased in the last years. Many companies seek to reinforce their security capabilities to better safeguard against cybersecurity threats, so they...The need for SIEM (Security Information and even Management) systems increased in the last years. Many companies seek to reinforce their security capabilities to better safeguard against cybersecurity threats, so they adopt multi-layered security strategies that include using a SIEM solution. However, implementing a SIEM solution is not just an installation phase that fits any scenario within any organization;the best SIEM system for an organization may not be suitable at all for another one. An organization should consider other factors along with the technical side when evaluating a SIEM solution. This paper proposes an approach to aid enterprises, in selecting an applicable SIEM. It starts by suggesting the requirements that should be addressed in a SIEM using a systematic way, and then proposes a methodology for evaluating SIEM solutions that measures the compliance and applicability of any SIEM solution. This approach aims to support companies that are seeking to adopt SIEM systems into their environments, suggesting suitable answers to preferred requirements that are believed to be valuable prerequisites an SIEM system should have;and to suggest criteria to judge SIEM systems using an evaluation process composed of quantitative and qualitative methods. This approach, unlike others, is customer driven which means that customer needs are taken into account when following the whole approach, specifically when defining the requirements and then evaluating the suppliers’ solutions.展开更多
针对高级持续性威胁(advanced persistent threat,APT)攻击具有潜伏期长、隐蔽性高、针对性强、持续时间长的特点,提出了基于安全信息和事件管理(security information and event management,SIEM)系统的APT攻击检测框架.框架分为网络...针对高级持续性威胁(advanced persistent threat,APT)攻击具有潜伏期长、隐蔽性高、针对性强、持续时间长的特点,提出了基于安全信息和事件管理(security information and event management,SIEM)系统的APT攻击检测框架.框架分为网络边界日志分析和内部网络流量分析两大模块,网络边界日志分析模块采用大数据分析技术,实时对各类安全防护设备产生的海量异构安全日志和流量统一整合关联、采用特征码检测技术构建第一层恶意代码检测,在网络边界或主机边界形成对APT攻击的第一道防线;内部网络流量分析模块采用大数据分析技术对内部网络流量进行过滤、与边界日志分析模块联动、结合基于图编辑距离的静态同源分类技术构建第二层恶意代码检测,重点防御C&C加密信道、0day漏洞、变形木马.通过网络取证分析实现了全流量回溯技术发现异常、布隆算法过滤入侵行为、虚拟执行分析技术还原APT攻击事件,以此形成内部网络APT攻击防线.展开更多
Industrial Control Systems(ICS)in Operational Technology(OT)environments face unique cybersecurity challenges due to legacy systems,critical operational needs,and incompatibility with standard IT security practices.To...Industrial Control Systems(ICS)in Operational Technology(OT)environments face unique cybersecurity challenges due to legacy systems,critical operational needs,and incompatibility with standard IT security practices.To address these challenges,this paper presents the Security Operation and Event Management(SOEM)platform,a software designed to support Security Operations Centers(SOCs)in reaching full visibility of OT environments.SOEM integrates diverse log sources and intrusion detection systems,including logs generated by the control system itself and additional on-the-shelf products,to enhance situational awareness and enable rapid incident response.The pilot project was carried out within the funded project SOC-OT-IGE from the“Centro di Competenza Start 4.0”and is being developed in partnership with Ansaldo Energia and HWG Sababa.The validation has been conducted in a real-world pilot project.Thanks to the mapping to requirements for compliance with IEC 62443,the platform demonstrates its effectiveness through defined key performance indicators(KPIs).This work bridges the gap between IT-centric SOC methodologies and the specialized needs of industrial cybersecurity.展开更多
Security Information and Event Management (SIEM) platforms are critical for organizations to monitor and manage their security operations centers. However, organizations using SIEM platforms have several challenges su...Security Information and Event Management (SIEM) platforms are critical for organizations to monitor and manage their security operations centers. However, organizations using SIEM platforms have several challenges such as inefficiency of alert management and integration with real-time communication tools. These challenges cause delays and cost penalties for organizations in their efforts to resolve the alerts and potential security breaches. This paper introduces a cybersecurity Alert Distribution and Response Network (Adrian) system. Adrian introduces a novel enhancement to SIEM platforms by integrating SIEM functionalities with real-time collaboration platforms. Adrian leverages the uniquity of mobile applications of collaboration platforms to provide real-time alerts, enabling a two-way communication channel that facilitates immediate response to security incidents and efficient SIEM platform management. To demonstrate Adrian’s capabilities, we have introduced a case-study that integrates Wazuh, a SIEM platform, to Slack, a collaboration platform. The case study demonstrates all the functionalities of Adrian including the real-time alert distribution, alert customization, alert categorization, and enablement of management activities, thereby increasing the responsiveness and efficiency of Adrian’s capabilities. The study concludes with a discussion on the potential expansion of Adrian’s capabilities including the incorporation of artificial intelligence (AI) for enhanced alert prioritization and response automation.展开更多
Internet services and web-based applications play pivotal roles in various sensitive domains, encompassing e-commerce, e-learning, e-healthcare, and e-payment. However, safeguarding these services poses a significant ...Internet services and web-based applications play pivotal roles in various sensitive domains, encompassing e-commerce, e-learning, e-healthcare, and e-payment. However, safeguarding these services poses a significant challenge, as the need for robust security measures becomes increasingly imperative. This paper presented an innovative method based on differential analyses to detect abrupt changes in network traffic characteristics. The core concept revolves around identifying abrupt alterations in certain characteristics such as input/output volume, the number of TCP connections, or DNS queries—within the analyzed traffic. Initially, the traffic is segmented into distinct sequences of slices, followed by quantifying specific characteristics for each slice. Subsequently, the distance between successive values of these measured characteristics is computed and clustered to detect sudden changes. To accomplish its objectives, the approach combined several techniques, including propositional logic, distance metrics (e.g., Kullback-Leibler Divergence), and clustering algorithms (e.g., K-means). When applied to two distinct datasets, the proposed approach demonstrates exceptional performance, achieving detection rates of up to 100%.展开更多
Over time, the world has transformed digitally and there is total dependence on the internet. Many more gadgets are continuously interconnected in the internet ecosystem. This fact has made the Internet a global infor...Over time, the world has transformed digitally and there is total dependence on the internet. Many more gadgets are continuously interconnected in the internet ecosystem. This fact has made the Internet a global information source for every being. Despite all this, attacker knowledge by cybercriminals has advanced and resulted in different attack methodologies on the internet and its data stores. This paper will discuss the origin and significance of Denial of Service (DoS) and Distributed Denial of Service (DDoS). These kinds of attacks remain the most effective methods used by the bad guys to cause substantial damage in terms of operational, reputational, and financial damage to organizations globally. These kinds of attacks have hindered network performance and availability. The victim’s network is flooded with massive illegal traffic hence, denying genuine traffic from passing through for authorized users. The paper will explore detection mechanisms, and mitigation techniques for this network threat.展开更多
基于统计型积分方程方法(Stochastic Integral Equation Method,SIEM)实现了高斯粗糙面的高效散射计算.与传统求解随机粗糙面散射特性的蒙特卡洛法(Monte Carlo Method,MC)相比,该方法采用统计面元格林函数,考虑粗糙面高斯随机分布的场...基于统计型积分方程方法(Stochastic Integral Equation Method,SIEM)实现了高斯粗糙面的高效散射计算.与传统求解随机粗糙面散射特性的蒙特卡洛法(Monte Carlo Method,MC)相比,该方法采用统计面元格林函数,考虑粗糙面高斯随机分布的场源耦合影响,只需要计算一次矩阵元素和待求未知量,提高了求解粗糙面问题的计算效率.数值结果显示,文中方法与MC吻合,计算效率得到显著提高.展开更多
基金funded under the Horizon Europe AI4CYBER Projectwhich has received funding from the European Union’s Horizon Europe Research and Innovation Programme under grant agreement No.101070450.
文摘The growing sophistication of cyberthreats,among others the Distributed Denial of Service attacks,has exposed limitations in traditional rule-based Security Information and Event Management systems.While machine learning–based intrusion detection systems can capture complex network behaviours,their“black-box”nature often limits trust and actionable insight for security operators.This study introduces a novel approach that integrates Explainable Artificial Intelligence—xAI—with the Random Forest classifier to derive human-interpretable rules,thereby enhancing the detection of Distributed Denial of Service(DDoS)attacks.The proposed framework combines traditional static rule formulation with advanced xAI techniques—SHapley Additive exPlanations and Scoped Rules-to extract decision criteria from a fully trained model.The methodology was validated on two benchmark datasets,CICIDS2017 and WUSTL-IIOT-2021.Extracted rules were evaluated against conventional Security Information and Event Management Systems rules with metrics such as precision,recall,accuracy,balanced accuracy,and Matthews Correlation Coefficient.Experimental results demonstrate that xAI-derived rules consistently outperform traditional static rules.Notably,the most refined xAI-generated rule achieved near-perfect performance with significantly improved detection of DDoS traffic while maintaining high accuracy in classifying benign traffic across both datasets.
文摘On 12 December 2024,the China-Cambodia Friendship Carnival under the Action Plan on Silk Road People-to-People Connectivity co-hosted by China Foundation for Peace and Development(CFPD)and the Youth House for Cambodia-China Friendship(YHCCF)kicked off in Siem Reap.
文摘随着中石油集团对智能钻井业务的重视和开展程度不断提高,钻井企业每天产生大量数据。这些数据不仅包含丰富的钻井相关知识,还涉及许多关乎国家和企业利益的战略或商业机密。因此,在数据爆炸和人工智能普及的新时代,对网络与数据安全的要求也日益提高。钻井企业天然具有布局分散、跨越地理区域广泛的特点,相比其他企业,构建安全壁垒的难度更大,需要更多的安全手段。文章提出了一种安全信息事件管理(SIEM,Security Information and Event Management)系统的实现方案。该系统在现有网络安全措施基础上,利用数据融合和机器学习算法扩展出新的系统,可以显著提高网络管理人员的工作效率,更及时准确地发现和处理潜在威胁,有效地加强了企业现有的安全屏障。
文摘This paper describes the process of the implementation of SIEM (security information and event management) systems in IT environment and the impact of human factors on that process. In the introductory part of the paper are listed security systems which are most often used in corporate environments, the key functionalities of SIEM systems and its importance in overall security of the IT environment. Then, the recommendations are listed for the successful implementation of SIEM systems, which goal is a higher level of corporate network environment security. It is further presented optimization of implementation of the SIEM systems through all stages. Further, the influence of the human factor is described in the implementation of these systems as well as the impact of human perceptions in correlations to the detection of attacks.
文摘The need for SIEM (Security Information and even Management) systems increased in the last years. Many companies seek to reinforce their security capabilities to better safeguard against cybersecurity threats, so they adopt multi-layered security strategies that include using a SIEM solution. However, implementing a SIEM solution is not just an installation phase that fits any scenario within any organization;the best SIEM system for an organization may not be suitable at all for another one. An organization should consider other factors along with the technical side when evaluating a SIEM solution. This paper proposes an approach to aid enterprises, in selecting an applicable SIEM. It starts by suggesting the requirements that should be addressed in a SIEM using a systematic way, and then proposes a methodology for evaluating SIEM solutions that measures the compliance and applicability of any SIEM solution. This approach aims to support companies that are seeking to adopt SIEM systems into their environments, suggesting suitable answers to preferred requirements that are believed to be valuable prerequisites an SIEM system should have;and to suggest criteria to judge SIEM systems using an evaluation process composed of quantitative and qualitative methods. This approach, unlike others, is customer driven which means that customer needs are taken into account when following the whole approach, specifically when defining the requirements and then evaluating the suppliers’ solutions.
文摘针对高级持续性威胁(advanced persistent threat,APT)攻击具有潜伏期长、隐蔽性高、针对性强、持续时间长的特点,提出了基于安全信息和事件管理(security information and event management,SIEM)系统的APT攻击检测框架.框架分为网络边界日志分析和内部网络流量分析两大模块,网络边界日志分析模块采用大数据分析技术,实时对各类安全防护设备产生的海量异构安全日志和流量统一整合关联、采用特征码检测技术构建第一层恶意代码检测,在网络边界或主机边界形成对APT攻击的第一道防线;内部网络流量分析模块采用大数据分析技术对内部网络流量进行过滤、与边界日志分析模块联动、结合基于图编辑距离的静态同源分类技术构建第二层恶意代码检测,重点防御C&C加密信道、0day漏洞、变形木马.通过网络取证分析实现了全流量回溯技术发现异常、布隆算法过滤入侵行为、虚拟执行分析技术还原APT攻击事件,以此形成内部网络APT攻击防线.
基金supported by the project“Airfield”under the PoC Launchpad initiative funded by the Fondazione Compagnia di San Paolo.
文摘Industrial Control Systems(ICS)in Operational Technology(OT)environments face unique cybersecurity challenges due to legacy systems,critical operational needs,and incompatibility with standard IT security practices.To address these challenges,this paper presents the Security Operation and Event Management(SOEM)platform,a software designed to support Security Operations Centers(SOCs)in reaching full visibility of OT environments.SOEM integrates diverse log sources and intrusion detection systems,including logs generated by the control system itself and additional on-the-shelf products,to enhance situational awareness and enable rapid incident response.The pilot project was carried out within the funded project SOC-OT-IGE from the“Centro di Competenza Start 4.0”and is being developed in partnership with Ansaldo Energia and HWG Sababa.The validation has been conducted in a real-world pilot project.Thanks to the mapping to requirements for compliance with IEC 62443,the platform demonstrates its effectiveness through defined key performance indicators(KPIs).This work bridges the gap between IT-centric SOC methodologies and the specialized needs of industrial cybersecurity.
文摘Security Information and Event Management (SIEM) platforms are critical for organizations to monitor and manage their security operations centers. However, organizations using SIEM platforms have several challenges such as inefficiency of alert management and integration with real-time communication tools. These challenges cause delays and cost penalties for organizations in their efforts to resolve the alerts and potential security breaches. This paper introduces a cybersecurity Alert Distribution and Response Network (Adrian) system. Adrian introduces a novel enhancement to SIEM platforms by integrating SIEM functionalities with real-time collaboration platforms. Adrian leverages the uniquity of mobile applications of collaboration platforms to provide real-time alerts, enabling a two-way communication channel that facilitates immediate response to security incidents and efficient SIEM platform management. To demonstrate Adrian’s capabilities, we have introduced a case-study that integrates Wazuh, a SIEM platform, to Slack, a collaboration platform. The case study demonstrates all the functionalities of Adrian including the real-time alert distribution, alert customization, alert categorization, and enablement of management activities, thereby increasing the responsiveness and efficiency of Adrian’s capabilities. The study concludes with a discussion on the potential expansion of Adrian’s capabilities including the incorporation of artificial intelligence (AI) for enhanced alert prioritization and response automation.
文摘Internet services and web-based applications play pivotal roles in various sensitive domains, encompassing e-commerce, e-learning, e-healthcare, and e-payment. However, safeguarding these services poses a significant challenge, as the need for robust security measures becomes increasingly imperative. This paper presented an innovative method based on differential analyses to detect abrupt changes in network traffic characteristics. The core concept revolves around identifying abrupt alterations in certain characteristics such as input/output volume, the number of TCP connections, or DNS queries—within the analyzed traffic. Initially, the traffic is segmented into distinct sequences of slices, followed by quantifying specific characteristics for each slice. Subsequently, the distance between successive values of these measured characteristics is computed and clustered to detect sudden changes. To accomplish its objectives, the approach combined several techniques, including propositional logic, distance metrics (e.g., Kullback-Leibler Divergence), and clustering algorithms (e.g., K-means). When applied to two distinct datasets, the proposed approach demonstrates exceptional performance, achieving detection rates of up to 100%.
文摘Over time, the world has transformed digitally and there is total dependence on the internet. Many more gadgets are continuously interconnected in the internet ecosystem. This fact has made the Internet a global information source for every being. Despite all this, attacker knowledge by cybercriminals has advanced and resulted in different attack methodologies on the internet and its data stores. This paper will discuss the origin and significance of Denial of Service (DoS) and Distributed Denial of Service (DDoS). These kinds of attacks remain the most effective methods used by the bad guys to cause substantial damage in terms of operational, reputational, and financial damage to organizations globally. These kinds of attacks have hindered network performance and availability. The victim’s network is flooded with massive illegal traffic hence, denying genuine traffic from passing through for authorized users. The paper will explore detection mechanisms, and mitigation techniques for this network threat.
文摘基于统计型积分方程方法(Stochastic Integral Equation Method,SIEM)实现了高斯粗糙面的高效散射计算.与传统求解随机粗糙面散射特性的蒙特卡洛法(Monte Carlo Method,MC)相比,该方法采用统计面元格林函数,考虑粗糙面高斯随机分布的场源耦合影响,只需要计算一次矩阵元素和待求未知量,提高了求解粗糙面问题的计算效率.数值结果显示,文中方法与MC吻合,计算效率得到显著提高.
