SURELOG SIEM PROFILER
SureLog leverage automated behavioral profiling to automatically detect anomalies and autonomously define rules on the data, to discover security events that require investigation. Behavior analysis and profiling relies on statistical modeling and data science in SureLog in order to identify patterns of behavior and compare them against other human or machine activities. The Profiler is a feature extraction mechanism that can generate a profile describing the behavior of an entity. An entity might be an any field of message like protocol used in communication as well as a server, user, subnet or application. Once a profile has been generated defining what normal behavior looks-like, models can be built that identify anomalous behavior.
In SureLog; Profiler is enhancing SIEM Correlation Rules Through Baselining. This is achieved by summarizing the streaming telemetry data consumed by SureLog over sliding windows. Profiling is compressing time. A summary statistic is applied to the data received within a given window. Collecting this summary across many windows results in a time series that is useful for analysis.
Any field contained within a message can be used to generate a profile. A profile can even be produced by combining fields that originate in different data sources. A user has considerable power to transform the data used in a profile by leveraging the SureLog correlation engine. SureLog Rule As a Code platform [1] which is powered by JAVA is the definition point for profiles. Profiler in correlation engine can be configured using JAVA.
Profile definition:
result=Profiler.update(profilename, foreach, filter, hour, dayofweek, day, month, function, data)
Profiles
A profile definition requires JAVA method definition. The specification contains the following elements.
Example 1:
The ratio of DNS traffic to HTTP traffic for each host. The following profiler rule as a code would be used to generate this profile.
Profiler profiler=new Profiler();if (generalcorrelationobject1.getProtocol()==’HTTP’)profiler.update(“Profiler-10”,generalcorrelationobject1.SourceAccount,”http_total”,generalcorrelationobject1.getHour(),generalcorrelationobject1.getDayOfWeek(),generalcorrelationobject1.getDay(),generalcorrelationobject1.getMonth(),”SUM”,1);else if (generalcorrelationobject1.getProtocol()==’DNS’)profiler.update(“Profiler-10”,generalcorrelationobject1.SourceAccount,”dns_total”,generalcorrelationobject1.getHour(),generalcorrelationobject1.getDayOfWeek(),generalcorrelationobject1.getDay(),generalcorrelationobject1.getMonth(),”SUM”,1);
Baseline creation:
createweekdaybaseline(String pure_profile_name, int dayofweek, intlastnumberofweeks,String parameter)
in this case a particular user will be known. The following examples shows how this profile data might be retrieved. Retrieve all values of ‘http_protocol/dns_protocol’ from over the past 4 weeks of the 4 th day of the week (Tuesday) and calculate percentiles (A percentile (or a centile) is a measure used in statistics indicating the value below which a given percentage of observations in a group of observations fall. For example, the 20th percentile is the value (or score) below which 20% of the observations may be found.)
ProfilerUtil pu=new ProfilerUtil();// look for a user whose http to dns protocol ratio is %300 more than %95 of the other users for the last four week ratio for 4th day of week(Tuesday)pu.percentile(95,300,"Profiler-10",5,4,"http_total","dns_total");
Example 2:
The total number of bytes of HTTP data for each host
Profiler profiler=new Profiler();
if (generalcorrelationobject1.getProtocol()=='HTTP')
profiler.update("Profiler-HTTP",generalcorrelationobject1.SourceMachine,"http_size",generalcorrelationobject1.getHour(),generalcorrelationobject1.getDayOfWeek(),generalcorrelationobject1.getDay(),generalcorrelationobject1.getMonth(),"SUM", generalcorrelationobject1.getRCVD());
The following examples shows how this profile data might be retrieved. Retrieve all values of ‘http_protocol/dns_protocol’ from over the past 4 weeks of the 4 th day of the week (Tuesday) and calculate percentiles and get the Source IPs which HTTP traffic is more than %95 of others Soure IPs.
ProfilerUtil pu=new ProfilerUtil();// look for a user whose http to dns protocol ratio is %10 more than %95 of the other users for the last four week ratio for 4th day of week(Tuesday)pu.percentile(95,10,"Profiler-HTTP ",5,4);
Example 3:
The average of the length field of HTTP traffic. The following configuration would be used to generate this profile.:
Profiler profiler=new Profiler();
if (generalcorrelationobject1.getProtocol()=='HTTP')
profiler.update("Profiler-HTTP-Length",generalcorrelationobject1.SourceMachine,"http_lenght",generalcorrelationobject1.getHour(),generalcorrelationobject1.getDayOfWeek(),generalcorrelationobject1.getDay(),generalcorrelationobject1.getMonth(),"SUM", generalcorrelationobject1.getURL().length());
In order to create average/mean
ProfilerUtil pu=new ProfilerUtil();// Mean for the last 7 hoursresult=pu.meanHourly("Profiler-HTTP-Length",7);
Example 4:
These examples assume a profile has been defined called ‘snort-alerts’ that tracks the number of Snort alerts associated with an IP address over time. The profile definition might look similar to the following.
Profiler profiler=new Profiler();
if (generalcorrelationobject1.getLogSubType()=='Snort')
profiler.update("Profiler-Snort",generalcorrelationobject1.SourceMachine,"snort",generalcorrelationobject1.getHour(),generalcorrelationobject1.getDayOfWeek(),generalcorrelationobject1.getDay(),generalcorrelationobject1.getMonth(),"SUM", 1);
In order to create average/mean
ProfilerUtil pu=new ProfilerUtil();// Mean for the last 7 hoursresult=pu.meanHourly("Profiler-Snort",7);
Profiler learns from what users and entities do on a regular basis, for instance,
where do users log in from?
what devices do they log in from?
what file servers and applications do they access?
what privileges do they have? and so on.
Example 5:
How to detect when a user log in for first time in a system?
Profiler profiler=new Profiler();
if (generalcorrelationobject1.getTAXONOMY()==' Informational.Authentication.Succeeded')
profiler.update("Profiler-Login",generalcorrelationobject1.SourceAccount(), generalcorrelationobject1.SourceMachine,generalcorrelationobject1.getHour(),generalcorrelationobject1.getDayOfWeek(),generalcorrelationobject1.getDay(),generalcorrelationobject1.getMonth(),"ADD", 1);
How to retrieve this profile and how to check if it is a never seen login.
ConcurrentHashMap profile=pu.createweekdaybaselineAsMap("Profiler-Login",7,4,"Login");
if (profile!=null)
GlobalListManager.profiles.put("log-term-logins",profile);CheckInList chk=new CheckInList();
if(chk.isInList("log-term-logins","Login",generalcorrelationobject1.getSourceAccount(),generalcorrelationobject1.getSourceMachine()))
chk.notify();
References