The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Ting-Fang Yen - RSA

Students: Spring 2024, unless noted otherwise, sessions will be virtual on Zoom.

Beehive: Large-Scale Log Analysis for Detecting Suspicious Activity in Enterprise Networks

Feb 12, 2014

Download: Video Icon MP4 Video Size: 132.8MB  
Watch on Youtube Watch on YouTube

Abstract

As more and more Internet-based attacks arise, organizations are responding
by deploying an assortment of security products that generate situational
intelligence in the form of logs. These logs often contain high volumes of
interesting and useful information about activities in the network, and are
among the first data sources that information security specialists consult
when they suspect that an attack has taken place. However, security products
often come from a patchwork of vendors, and are inconsistently installed and
administered. They generate logs whose formats differ widely and that are
often incomplete, mutually contradictory, and very large in volume. Hence,
although this collected information is useful, it is often dirty.

We present a novel system, Beehive, that attacks the problem of
automatically mining and extracting knowledge from the dirty log data
produced by a wide variety of security products in a large enterprise. We
improve on signature-based approaches to detecting security incidents and
instead identify suspicious host behaviors that Beehive reports as potential
security incidents. These incidents can then be further analyzed by incident
response teams to determine whether a policy violation or attack has
occurred. We have evaluated Beehive on the log data collected in a large
enterprise, EMC, over a period of two weeks. We compare the incidents
identified by Beehive against enterprise Security Operations Center
reports, antivirus software alerts, and feedback from enterprise security
specialists. We show that Beehive is able to identify malicious events and
policy violations which would otherwise go undetected.

About the Speaker

Ting-Fang Yen is a research scientist at RSA Laboratories, the security division of EMC. Ting-Fang's research interests include network security and data analysis for security applications. Ting-Fang received a B.S. degree in Computer Science and Information Engineering from National Chiao Tung University, Taiwan, and M.S. and Ph.D. degrees in Electrical and Computer Engineering from Carnegie Mellon University.


Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!