CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterprise Networks

Ting-Fang Yen - RSA

Feb 12, 2014

Size: 132.8MB

Download: Video Icon MP4 Video  
Watch in your Browser   Watch on Youtube Watch on YouTube


As more and more Internet-based attacks arise, organizations are responding
by deploying an assortment of security products that generate situational
intelligence in the form of logs. These logs often contain high volumes of
interesting and useful information about activities in the network, and are
among the first data sources that information security specialists consult
when they suspect that an attack has taken place. However, security products
often come from a patchwork of vendors, and are inconsistently installed and
administered. They generate logs whose formats differ widely and that are
often incomplete, mutually contradictory, and very large in volume. Hence,
although this collected information is useful, it is often dirty.

We present a novel system, Beehive, that attacks the problem of
automatically mining and extracting knowledge from the dirty log data
produced by a wide variety of security products in a large enterprise. We
improve on signature-based approaches to detecting security incidents and
instead identify suspicious host behaviors that Beehive reports as potential
security incidents. These incidents can then be further analyzed by incident
response teams to determine whether a policy violation or attack has
occurred. We have evaluated Beehive on the log data collected in a large
enterprise, EMC, over a period of two weeks. We compare the incidents
identified by Beehive against enterprise Security Operations Center
reports, antivirus software alerts, and feedback from enterprise security
specialists. We show that Beehive is able to identify malicious events and
policy violations which would otherwise go undetected.

About the Speaker

Ting-Fang Yen is a research scientist at RSA Laboratories, the security division of EMC. Ting-Fang's research interests include network security and data analysis for security applications. Ting-Fang received a B.S. degree in Computer Science and Information Engineering from National Chiao Tung University, Taiwan, and M.S. and Ph.D. degrees in Electrical and Computer Engineering from Carnegie Mellon University.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...


The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.