Scalable data analytics pipeline for real-time attack detection: design, validation, and deployment in a honeypot environment
Badger, Eric C
Loading…
Permalink
https://hdl.handle.net/2142/89057
Description
Title
Scalable data analytics pipeline for real-time attack detection: design, validation, and deployment in a honeypot environment
Author(s)
Badger, Eric C
Issue Date
2015-12-07
Director of Research (if dissertation) or Advisor (if thesis)
Iyer, Ravishankar K.
Committee Member(s)
Kalbarczyk, Zbigniew T
Department of Study
Electrical & Computer Engineering
Discipline
Electrical & Computer Engineering
Degree Granting Institution
University of Illinois at Urbana-Champaign
Degree Name
M.S.
Degree Level
Thesis
Keyword(s)
Intrusion Detection
Abstract
This work explores a scalable data analytics pipeline for real-time attack detection through the use of customized honeypots at the National Center for Supercomputing Applications (NCSA). Attack detection tools are common and are constantly getting improved, but validating these tools is challenging. One must automate how to identify what data is essential to detecting the attack, extract this data from multiple different monitors, and send this data to the attack detection tool. On top of this, one must be able to efficiently scale with an ever-increasing amount of data, while also having the ability to extend to new monitors. This requires an infrastructure that is non-trivial to create or to deploy.
In this work, we present a generalized architecture that aims for a real- time, scalable, and extensible pipeline that can be deployed in diverse in- frastructures to validate arbitrary attack detection tools. To demonstrate our architecture, we will show an example deployment of our pipeline using completely open-sourced tools. Our example deployment uses as its sources: 1) a customized honeypot environment at NCSA, and 2) customized attack scripts written to follow the skeleton of canonical credential-stealing attacks. To extract useful information, we have deployed network and host-based monitoring tools such as Bro and OSSEC. We have also built an attack de- tection tool named AttackTagger that we will use as our front-end detection engine.
Use this login method if you
don't
have an
@illinois.edu
email address.
(Oops, I do have one)
IDEALS migrated to a new platform on June 23, 2022. If you created
your account prior to this date, you will have to reset your password
using the forgot-password link below.