Anomaly Detection Through Massive Event Correlation in ICT Networks
As Information and Communication Technology (ICT) networks and their complexity evolved, so did the goals and the technical processes of attacks. Recent security incidents show that current security mechanisms are often not sufficient to prohibit targeted attacks. If an attack on a system is successful timely detection is critical to mitigate its impact. With the increasing use of common Internet protocols in connection with Supervisory Control and Data Acquisition (SCADA) systems, industrial networks are exposed to the same threats as corporate networks. This work proposes a novel anomaly detection approach, based on the timely correlation and analysis of log-files from various sources in a monitored network. The framework builds a system model that describes the normal behaviour of the different components in the monitored network. It does not rely on any information about syntax or semantics of the processed log-lines. Instead, the model is generated based on the processed information and constantly evolves while the system is monitoring the network. Using data from a controlled ICT network, this thesis shows that the generated model distinguishes meaningful subsets of log-files, and is able to model complex implications between different network components. An evaluation based on semi-synthetic log-data demonstrates the application of the approach in common ICT networks. Additionally, real-world data from a utility provider is used to demonstrate the system-s application in the domain of SCADA systems.