PoS - Proceedings of Science
Volume 378 - International Symposium on Grids & Clouds 2021 (ISGC2021) - Network, Security, Infrastructure & Operations
A comprehensive security operation center based on big data analytics and threat intelligence
J. Wang*, T. Yan, D. An, Z. Liang, C. Guo, H. Hu, Q. Luo, H. Li, H. Wang, S. Zeng, C. Zhou, L. Ma and F. Qi
Full text: pdf
Published on: October 22, 2021
The continued growth of cybersecurity incidents calls for effective cybersecurity monitoring solutions. The operation of security operation centers (SOCs) is the recommended best practice to which large and medium-size organizations rely for the detection, notification, and ultimately response to cybersecurity incidents. However, current SOCs face several issues, such as inferior defense against specific types of attacks, low-quality threat intelligence, low speed of response and low level of automation.
In this paper, a comprehensive SOC is introduced to mitigate above mentioned issues of current SOCs. First, the SOC collects a wide variety of data including network traffic, server logs, security incidents logs. The collected data is preprocessed and stored in a big-data storage platform. Secondly, the SOC provides multi-perspective behavior analysis which can combine the detection performance of multiple behavior detectors. Different detectors can analyze different and specific types of attack based on the data on the big data storage platform. Besides, threat intelligence is collected accurately from unstructured open-source cyber threat intelligence reports by using deep learning model and is correlated with incidents detection to identify attacks rapidly. Finally, the SOC can uniformly manage and automatically respond the incidents identified from multi-perspective behavior analysis and threat intelligence. At the same time, visualization is adopted to reveal the cybersecurity situation of entire organizations. The framework of the SOC is derived from the CERN design, and is customized to make it is practical and deployable for the Institute of High Energy Physics to discover, identify, understand, analyze, and respond to cybersecurity incidents from a comprehensive perspective.
DOI: https://doi.org/10.22323/1.378.0028
How to cite

Metadata are provided both in "article" format (very similar to INSPIRE) as this helps creating very compact bibliographies which can be beneficial to authors and readers, and in "proceeding" format which is more detailed and complete.

Open Access
Creative Commons LicenseCopyright owned by the author(s) under the term of the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.