Content uploaded by Ertuğrul Akbaş
Author content
All content in this area was uploaded by Ertuğrul Akbaş on Dec 03, 2018
Content may be subject to copyright.
SURELOG SIEM PROFILER
SureLog leverage automated behavioral profiling to automatically detect anomalies and
autonomously define rules on the data, to discover security events that require investigation.
Behavior analysis and profiling relies on statistical modeling and data science in SureLog in order
to identify patterns of behavior and compare them against other human or machine activities. The
Profiler is a feature extraction mechanism that can generate a profile describing the behavior of
an entity. An entity might be an any field of message like protocol used in communication as well
as a server, user, subnet or application. Once a profile has been generated defining what normal
behavior looks-like, models can be built that identify anomalous behavior.
In SureLog; Profiler is enhancing SIEM Correlation Rules Through Baselining. This is achieved by
summarizing the streaming telemetry data consumed by SureLog over sliding windows. Profiling
is compressing time. A summary statistic is applied to the data received within a given window.
Collecting this summary across many windows results in a time series that is useful for analysis.
Any field contained within a message can be used to generate a profile. A profile can even be
produced by combining fields that originate in different data sources. A user has considerable
power to transform the data used in a profile by leveraging the SureLog correlation engine.
SureLog Rule As a Code platform [1] which is powered by JAVA is the definition point for profiles.
Profiler in correlation engine can be configured using JAVA.
Profile definition:
result=Profiler.update(profilename, foreach, filter, hour, dayofweek,
day, month, function, data)
Profiles
A profile definition requires JAVA method definition. The specification contains the following
elements.
Name Description
profilename Required
foreach Required
filter Required
data Required
update Required
!"
expires Optional #$
Example 1:
The ratio of DNS traffic to HTTP traffic for each host. The following profiler rule as a code would
be used to generate this profile.
Profiler profiler=new Profiler();
if (generalcorrelationobject1.getProtocol()=='HTTP')
profiler.update("Profiler-
10",generalcorrelationobject1.SourceAccount,"http_total",generalcorrelati
onobject1.getHour(),generalcorrelationobject1.getDayOfWeek(),generalcorre
lationobject1.getDay(),generalcorrelationobject1.getMonth(),"SUM",1);
else if (generalcorrelationobject1.getProtocol()=='DNS')
profiler.update("Profiler-
10",generalcorrelationobject1.SourceAccount,"dns_total",generalcorrelatio
nobject1.getHour(),generalcorrelationobject1.getDayOfWeek(),generalcorrel
ationobject1.getDay(),generalcorrelationobject1.getMonth(),"SUM",1);
Baseline creation:
createweekdaybaseline(String pure_profile_name, int dayofweek, int
lastnumberofweeks,String parameter)
in this case a particular user will be known. The following examples shows how this profile data
might be retrieved. Retrieve all values of ‘http_protocol/dns_protocol’ from over the past 4
weeks of the 4 th day of the week (Tuesday) and calculate percentiles (A percentile (or
a centile) is a measure used in statistics indicating the value below which a
given percentage of observations in a group of observations fall. For example, the 20th
percentile is the value (or score) below which 20% of the observations may be found.)
ProfilerUtil pu=new ProfilerUtil();
// look for a user whose http to dns protocol ratio is %300 more than %95
of the other users for the last four week ratio for 4th day of
week(Tuesday)
pu.percentile(95,300,"Profiler-10",5,4,"http_total","dns_total");
%&'
The total number of bytes of HTTP data for each host
Profiler profiler=new Profiler();
if (generalcorrelationobject1.getProtocol()=='HTTP')
profiler.update("Profiler-
HTTP",generalcorrelationobject1.SourceMachine,"http_size",generalcorrelat
ionobject1.getHour(),generalcorrelationobject1.getDayOfWeek(),generalcorr
elationobject1.getDay(),generalcorrelationobject1.getMonth(),"SUM",
generalcorrelationobject1.getRCVD());
The following examples shows how this profile data might be retrieved. Retrieve all values of
‘http_protocol/dns_protocol’ from over the past 4 weeks of the 4 th day of the week (Tuesday)
and calculate percentiles and get the Source IPs which HTTP traffic is more than %95 of others
Soure IPs.
ProfilerUtil pu=new ProfilerUtil();
// look for a user whose http to dns protocol ratio is %10 more than %95
of the other users for the last four week ratio for 4th day of
week(Tuesday)
pu.percentile(95,10,"Profiler-HTTP ",5,4);
%('
)*+))#,)
'
Profiler profiler=new Profiler();
if (generalcorrelationobject1.getProtocol()=='HTTP')
profiler.update("Profiler-HTTP-
Length",generalcorrelationobject1.SourceMachine,"http_lenght",generalcorr
elationobject1.getHour(),generalcorrelationobject1.getDayOfWeek(),general
correlationobject1.getDay(),generalcorrelationobject1.getMonth(),"SUM",
generalcorrelationobject1.getURL().-.);
/*0
ProfilerUtil pu=new ProfilerUtil();
// Mean for the last 7 hours
result=pu.meanHourly("Profiler-HTTP-Length",7);
%1'
These examples assume a profile has been defined called ‘snort-alerts’ that tracks the number of
Snort alerts associated with an IP address over time. The profile definition might look similar to
the following.
Profiler profiler=new Profiler();
if (generalcorrelationobject1.getLogSubType()=='Snort')
profiler.update("Profiler-
Snort",generalcorrelationobject1.SourceMachine,"snort",generalcorrelation
object1.getHour(),generalcorrelationobject1.getDayOfWeek(),generalcorrela
tionobject1.getDay(),generalcorrelationobject1.getMonth(),"SUM", 1);
/*0
ProfilerUtil pu=new ProfilerUtil();
// Mean for the last 7 hours
result=pu.meanHourly("Profiler-Snort",7);
#22
3
*3
*3
**3
%4'
+3
Profiler profiler=new Profiler();
if (generalcorrelationobject1.getTAXONOMY()=='
Informational.Authentication.Succeeded')
profiler.update("Profiler-
Login",generalcorrelationobject1.SourceAccount(),
generalcorrelationobject1.SourceMachine,generalcorrelationobject1.getHour
(),generalcorrelationobject1.getDayOfWeek(),generalcorrelationobject1.get
Day(),generalcorrelationobject1.getMonth(),"ADD", 1);
ConcurrentHashMap profile=pu.createweekdaybaselineAsMap("Profiler-
Login",7,4,"Login");
if (profile!=null)
567-89982.:
;</6<=;</6-.:
-</6-899
828682>?@-.2
>?@7-...
<-.:
A
?9 '000999099999
9999BCDB4&