SlideShare a Scribd company logo

CEP for security event correlation and detection with CorReactive

Download as PPTX, PDF
N
Nikolay Klendar

Presentation from ZeroNights 2015 devoted to Esper library and the features it has to perform complex security event processing (correlating). Basic and advanced features was considered and custom made correlation engine which able to work together with logstash was presented

Technology
1 of 18
Security events correlation with Nikolay Klendar bsploit gmail.com
Complex Event Processing (correlation) * - is event processing that combines data from multiple sourcesto infer events or patterns that suggest more complicated circumstances. INTRO *Wikipedia
Library used for development Java, .NET Processes event STREAMS of predefined types. Esper does not parse events! Processing rules (correlation rules) are defined with Event Processing Language (EPL) similar to SQL
Network scan detection Type event: timestamp:string type: string src_ip: string dst_ip: string src_port:int dst_port: int bytes_sent: int bytes_recieved: int login: string Allowed monitoring systmes Annotation All dst_ip within 30 sec @Name('Scan') SELECT src_ip,window(dst_ip) FROM event (type='firewall' AND src_ip NOT IN ('10.0.0.1','10.0.0.2') ).win:time(30 sec) /*sliding time window*/ GROUP BY src_ip HAVING count(distinct dst_ip) > 50 output first every 1 hour /*1 event per hour*/
Worm spreading detection INSERT INTO scanning SELECT src_ip,window(dst_ip) targets FROM event().win:time(10 min).std:unique(dst_ip) GROUP BY src_ip HAVING count(distinct dst_ip)>50; { src_ip='10.0.0.1', targets=['192.168.0.1', '192.168.0.2',…,'192.168.0.254']} { src_ip='192.168.0.2', targets=['192.167.0.1','192.167.0 .2',…,'192.167.0.254']} @Name('warm_spreading') SELECT a.src_ip,b.src_ip,b.targets FROM pattern[ every a=scanning -> b=scanning ( b.src_ip!=a.src_ip AND Arrays.asList(a.targets).contains(b.src_ip) ) WHERE timer:within(1 min) ]; {a.src_ip='10.0.0.1', b.src_ip='192.168.0.2', b.targets=[' 192.167.0.2 ',…, '192.167.0.2 ',' 192.167.0.2 ']}
Money laundering detection @Name('obnal') SELECT a.transaction,a.clientid,a.amount income, c.sumOf(i=>i.amount)+b.amount total FROM PATTERN[ EVERY a=event(transaction like 'card_income') -> b=event(b.clientid=a.clientid AND transaction = 'card_outcome') WHERE timer:within(3 hour) -> ( [3: ] c=event(c.clientid=a.clientid AND transaction = 'card_outcome' ) until timer:interval(20 min) ) ] Total money transferred to card Total outcome
Join & enrichment SELECT S.src_ip, S.targets, L.login,L.last_seen FROM scanning.std:lastevent() as S LEFT OUTER JOIN LoginsIP L on L.ip = S.src_ip GROUP BY S.src_ip output first every 1 hour; CREATE WINDOW LoginsIP.std:unique(ip) as (ip string, login string, last_seen string); INSRT INTO LoginsIP SELECT src_ip as ip, login.toLowerCase() as login, timestamp as last_seen FROM Event( type='windows' AND eventid='4624' AND src_ip IS NOT NULL AND login IS NOT NULL AND login!='ANONYMOUS LOGON' AND login NOT LIKE '%$' ); { S.src_ip='10.0.0.1', L.login='ivanov', L.last_seen='17.11.2015 12:00:00' S.targets=[' 192.167.0.2 ',…, '192.167.0.2 ',' 192.167.0.2 '] }
Integration with external sources SELECT src_ip from event(type='firewall') as fw, SQL:mysql ['select tornode_ip from tor_nodes'] as tor where fw.src_ip=tor.tornode_ip
Users profiling
Building user profile create window loginProfileASN.win:keepall() (login string,param string,value string,v_count long) create window loginProfileTotal.win:keepall() (login string,param string,total long) ON EVENT() e MERGE loginProfileASN p where p.login=e.login and p.value=(e.geoip('asn')).toString() when not matched then insert select login,'ASN' param, geoip('asn') value,1L v_count when matched then update set p.v_count = p.v_count+1 ON EVENT() e MERGE loginProfileTotal p where p.login=e.login when not matched then insert select login,'ASN' param, 1L total when matched then update set p.total = p.total+1
Deviation from profile SELECT e.login,e.geoip('asn') asn, e.src_ip, v.v_count count,t.total, cast((100-100*v.v_count/t.total),int) score FROM event().std:lastevent() e, loginProfileASN v, loginProfileTotal t where v.login=e.login and v.value=(e.geoip('asn')).toString() and t.login = e.login and (100-100*v.v_count/t.total)>97
CorReactive and integration with ELK Logstash config output { redis { host => "127.0.0.1" db => 0 data_type => "list " batch => true batch_events=>500 key => "events” codec => json } } CorReactive config Collect events "inputs":[ { "type": "redis", "config":{ "host": "localhost", "port": 6379, "db": 0, "queue":"events", "batch_count":500, "reconnect_timeout":60 } } ] CorReactive config Return alerts "outputs":[ { "type":"redis", "id":1, "config":{ "host": "localhost", "queue":"alerts", "port": 6379, "db": 0, "reconnect_timeout":60, "batch_count" :1 } } ]
CorReactive configuration steps 1. conf/types: Extend base event type “event”, add new fields 2. conf/modules: Add new EPL modules (correlation rules) If one module depends on another use special directive: uses dependent_module; http://goo.gl/9pvlIj 3. Configure inputs and outputs
CorReactive special annotations Alert generation to output channel @Alert(name='newalert',outID=1) Save data from named window to disk every 5 minutes. Saved data is automatically restored to named window during loading stage @Persist Named window data reloading every 5 minutes from csv file located in var/winload @Load(file="data.csv",format="csv",delim="; ") Dynamically alert enrichment with data from external command output or on demand query. Enrichment of enrichment is supported. @Enrich(dst="eLogin",type="window", param="select src_ip from loginip where login='%{login}'") @Enrich(dst="nsresult",type="cmd",param="nslookup %{eLogin}")
Alert example in Kibana
REST API Send event in JSON format POST /api/events View all registered modules GET /api/modules/registered View all registered Esper statements or queries GET api/modules/statements Reload data in named window POST /api/window/reload/{moduleName}/{winName} Deploy all modules POST api/modules/deploy Module deletion DELETE /api/modules Module syntax validation POST api/modules/validate Do on demand query POST /api/query
Links Esper docs http://www.espertech.com/esper/documentation.php Solution patterns with description http://www.espertech.com/esper/solution_patterns.php EPL editor and debugger http://esper-epl-tryout.appspot.com/epltryout/mainform.html CorReactive engine (special for ZeroNights 2015) http://correactive.sourceforge.net/
Thank you! Questions?

Recommended

Backdoor coding
Backdoor codingBackdoor coding
Backdoor codingabdesslem amri
 
Orsiso
OrsisoOrsiso
Orsisoe27
 
Rx – reactive extensions
Rx – reactive extensionsRx – reactive extensions
Rx – reactive extensionsVoislav Mishevski
 
5 Rmi Print
5 Rmi Print5 Rmi Print
5 Rmi Printvaradasuren
 
2019-10-05 - Untangled - Voxxed days ticino
2019-10-05 - Untangled - Voxxed days ticino2019-10-05 - Untangled - Voxxed days ticino
2019-10-05 - Untangled - Voxxed days ticinoArnaud Bos
 
Der perfekte 12c trigger
Der perfekte 12c triggerDer perfekte 12c trigger
Der perfekte 12c triggersyntegris information solutions GmbH
 
Base de-datos
Base de-datosBase de-datos
Base de-datosferney1428
 
Java Practical File Diploma
Java Practical File DiplomaJava Practical File Diploma
Java Practical File Diplomamustkeem khan
 

Recommended

Backdoor coding
Backdoor codingBackdoor coding
Backdoor codingabdesslem amri
 
Orsiso
OrsisoOrsiso
Orsisoe27
 
Rx – reactive extensions
Rx – reactive extensionsRx – reactive extensions
Rx – reactive extensionsVoislav Mishevski
 
5 Rmi Print
5 Rmi Print5 Rmi Print
5 Rmi Printvaradasuren
 
2019-10-05 - Untangled - Voxxed days ticino
2019-10-05 - Untangled - Voxxed days ticino2019-10-05 - Untangled - Voxxed days ticino
2019-10-05 - Untangled - Voxxed days ticinoArnaud Bos
 
Der perfekte 12c trigger
Der perfekte 12c triggerDer perfekte 12c trigger
Der perfekte 12c triggersyntegris information solutions GmbH
 
Base de-datos
Base de-datosBase de-datos
Base de-datosferney1428
 
Java Practical File Diploma
Java Practical File DiplomaJava Practical File Diploma
Java Practical File Diplomamustkeem khan
 
Oop assignment 02
Oop assignment 02Oop assignment 02
Oop assignment 02MamoonKhan39
 
37c
37c37c
37cSireesh K
 
java program assigment -2
java program assigment -2java program assigment -2
java program assigment -2Ankit Gupta
 
Core java pract_sem iii
Core java pract_sem iiiCore java pract_sem iii
Core java pract_sem iiiNiraj Bharambe
 
VISUALIZAR REGISTROS EN UN JTABLE
VISUALIZAR REGISTROS EN UN JTABLEVISUALIZAR REGISTROS EN UN JTABLE
VISUALIZAR REGISTROS EN UN JTABLEDarwin Durand
 
java assignment
java assignmentjava assignment
java assignmentJack Eastwood
 
Angular2 rxjs
Angular2 rxjsAngular2 rxjs
Angular2 rxjsChristoffer Noring
 
DSU C&C++ Practical File Diploma
DSU C&C++ Practical File DiplomaDSU C&C++ Practical File Diploma
DSU C&C++ Practical File Diplomamustkeem khan
 
merged_document_3
merged_document_3merged_document_3
merged_document_3tori hoff
 
DCN Practical
DCN PracticalDCN Practical
DCN PracticalNiraj Bharambe
 
Basic c programs updated on 31.8.2020
Basic c programs updated on 31.8.2020Basic c programs updated on 31.8.2020
Basic c programs updated on 31.8.2020vrgokila
 
Angular and The Case for RxJS
Angular and The Case for RxJSAngular and The Case for RxJS
Angular and The Case for RxJSSandi Barr
 
Java programs
Java programsJava programs
Java programsjojeph
 
The Effective Developer - Work Smarter, Not Harder
The Effective Developer - Work Smarter, Not HarderThe Effective Developer - Work Smarter, Not Harder
The Effective Developer - Work Smarter, Not HarderSven Peters
 
Java programs - bubble sort, iterator, linked list, hash set, reverse string,...
Java programs - bubble sort, iterator, linked list, hash set, reverse string,...Java programs - bubble sort, iterator, linked list, hash set, reverse string,...
Java programs - bubble sort, iterator, linked list, hash set, reverse string,...Sunil Kumar Gunasekaran
 
Example of JAVA Program
Example of JAVA ProgramExample of JAVA Program
Example of JAVA ProgramTrenton Asbury
 
Ensure code quality with vs2012
Ensure code quality with vs2012Ensure code quality with vs2012
Ensure code quality with vs2012Sandeep Joshi
 
Rxjs ppt
Rxjs pptRxjs ppt
Rxjs pptChristoffer Noring
 
Microsoft Ado
Microsoft AdoMicrosoft Ado
Microsoft Adooswchavez
 
2 BytesC++ course_2014_c3_ function basics&parameters and overloading
2 BytesC++ course_2014_c3_ function basics&parameters and overloading2 BytesC++ course_2014_c3_ function basics&parameters and overloading
2 BytesC++ course_2014_c3_ function basics&parameters and overloadingkinan keshkeh
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through CorrelationAnton Chuvakin
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataErtugrul Akbas
 

More Related Content

What's hot

java program assigment -2
java program assigment -2java program assigment -2
java program assigment -2Ankit Gupta
 
Core java pract_sem iii
Core java pract_sem iiiCore java pract_sem iii
Core java pract_sem iiiNiraj Bharambe
 
VISUALIZAR REGISTROS EN UN JTABLE
VISUALIZAR REGISTROS EN UN JTABLEVISUALIZAR REGISTROS EN UN JTABLE
VISUALIZAR REGISTROS EN UN JTABLEDarwin Durand
 
DSU C&C++ Practical File Diploma
DSU C&C++ Practical File DiplomaDSU C&C++ Practical File Diploma
DSU C&C++ Practical File Diplomamustkeem khan
 
merged_document_3
merged_document_3merged_document_3
merged_document_3tori hoff
 
Basic c programs updated on 31.8.2020
Basic c programs updated on 31.8.2020Basic c programs updated on 31.8.2020
Basic c programs updated on 31.8.2020vrgokila
 
Angular and The Case for RxJS
Angular and The Case for RxJSAngular and The Case for RxJS
Angular and The Case for RxJSSandi Barr
 
Java programs
Java programsJava programs
Java programsjojeph
 
The Effective Developer - Work Smarter, Not Harder
The Effective Developer - Work Smarter, Not HarderThe Effective Developer - Work Smarter, Not Harder
The Effective Developer - Work Smarter, Not HarderSven Peters
 
Java programs - bubble sort, iterator, linked list, hash set, reverse string,...
Java programs - bubble sort, iterator, linked list, hash set, reverse string,...Java programs - bubble sort, iterator, linked list, hash set, reverse string,...
Java programs - bubble sort, iterator, linked list, hash set, reverse string,...Sunil Kumar Gunasekaran
 
Example of JAVA Program
Example of JAVA ProgramExample of JAVA Program
Example of JAVA ProgramTrenton Asbury
 
Ensure code quality with vs2012
Ensure code quality with vs2012Ensure code quality with vs2012
Ensure code quality with vs2012Sandeep Joshi
 
Microsoft Ado
Microsoft AdoMicrosoft Ado
Microsoft Adooswchavez
 
2 BytesC++ course_2014_c3_ function basics&parameters and overloading
2 BytesC++ course_2014_c3_ function basics&parameters and overloading2 BytesC++ course_2014_c3_ function basics&parameters and overloading
2 BytesC++ course_2014_c3_ function basics&parameters and overloadingkinan keshkeh
 

What's hot (20)

Oop assignment 02
Oop assignment 02Oop assignment 02
Oop assignment 02
 
37c
37c37c
37c
 
java program assigment -2
java program assigment -2java program assigment -2
java program assigment -2
 
Core java pract_sem iii
Core java pract_sem iiiCore java pract_sem iii
Core java pract_sem iii
 
VISUALIZAR REGISTROS EN UN JTABLE
VISUALIZAR REGISTROS EN UN JTABLEVISUALIZAR REGISTROS EN UN JTABLE
VISUALIZAR REGISTROS EN UN JTABLE
 
java assignment
java assignmentjava assignment
java assignment
 
Angular2 rxjs
Angular2 rxjsAngular2 rxjs
Angular2 rxjs
 
DSU C&C++ Practical File Diploma
DSU C&C++ Practical File DiplomaDSU C&C++ Practical File Diploma
DSU C&C++ Practical File Diploma
 
merged_document_3
merged_document_3merged_document_3
merged_document_3
 
DCN Practical
DCN PracticalDCN Practical
DCN Practical
 
Basic c programs updated on 31.8.2020
Basic c programs updated on 31.8.2020Basic c programs updated on 31.8.2020
Basic c programs updated on 31.8.2020
 
Angular and The Case for RxJS
Angular and The Case for RxJSAngular and The Case for RxJS
Angular and The Case for RxJS
 
Java programs
Java programsJava programs
Java programs
 
The Effective Developer - Work Smarter, Not Harder
The Effective Developer - Work Smarter, Not HarderThe Effective Developer - Work Smarter, Not Harder
The Effective Developer - Work Smarter, Not Harder
 
Java programs - bubble sort, iterator, linked list, hash set, reverse string,...
Java programs - bubble sort, iterator, linked list, hash set, reverse string,...Java programs - bubble sort, iterator, linked list, hash set, reverse string,...
Java programs - bubble sort, iterator, linked list, hash set, reverse string,...
 
Example of JAVA Program
Example of JAVA ProgramExample of JAVA Program
Example of JAVA Program
 
Ensure code quality with vs2012
Ensure code quality with vs2012Ensure code quality with vs2012
Ensure code quality with vs2012
 
Rxjs ppt
Rxjs pptRxjs ppt
Rxjs ppt
 
Microsoft Ado
Microsoft AdoMicrosoft Ado
Microsoft Ado
 
2 BytesC++ course_2014_c3_ function basics&parameters and overloading
2 BytesC++ course_2014_c3_ function basics&parameters and overloading2 BytesC++ course_2014_c3_ function basics&parameters and overloading
2 BytesC++ course_2014_c3_ function basics&parameters and overloading
 

Viewers also liked

Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through CorrelationAnton Chuvakin
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataErtugrul Akbas
 
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...Ertugrul Akbas
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment Systema3sec
 
Intelligent Monitoring
Intelligent MonitoringIntelligent Monitoring
Intelligent MonitoringIntelie
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMAnton Goncharov
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Bryan Borra
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSightSridhar Karnam
 
Complex Event Processing with Esper
Complex Event Processing with EsperComplex Event Processing with Esper
Complex Event Processing with EsperAntónio Alegria
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016IBM Security
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsIBM Security
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewbrty_ngtglobal
 

Viewers also liked (16)

Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
 
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
 
A3Sec Advanced Deployment System
A3Sec Advanced Deployment SystemA3Sec Advanced Deployment System
A3Sec Advanced Deployment System
 
Intelligent Monitoring
Intelligent MonitoringIntelligent Monitoring
Intelligent Monitoring
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
 
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
Tips and tricks for MSSPs leveraging HPE Security ArcSight ESM to win proof o...
 
Big Data Security with HP ArcSight
Big Data Security with HP ArcSightBig Data Security with HP ArcSight
Big Data Security with HP ArcSight
 
Complex Event Processing with Esper
Complex Event Processing with EsperComplex Event Processing with Esper
Complex Event Processing with Esper
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 20165 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
HP ArcSight
HP ArcSight HP ArcSight
HP ArcSight
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
 

Similar to CEP for security event correlation and detection with CorReactive

Powering Heap With PostgreSQL And CitusDB (PGConf Silicon Valley 2015)
Powering Heap With PostgreSQL And CitusDB (PGConf Silicon Valley 2015)Powering Heap With PostgreSQL And CitusDB (PGConf Silicon Valley 2015)
Powering Heap With PostgreSQL And CitusDB (PGConf Silicon Valley 2015)Dan Robinson
 
Quest 1 define a class batsman with the following specifications
Quest 1 define a class batsman with the following specificationsQuest 1 define a class batsman with the following specifications
Quest 1 define a class batsman with the following specificationsrajkumari873
 
JSON Schema: Your API's Secret Weapon
JSON Schema: Your API's Secret WeaponJSON Schema: Your API's Secret Weapon
JSON Schema: Your API's Secret WeaponPete Gamache
 
Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and CEleanor McHugh
 
Multi client
Multi clientMulti client
Multi clientganteng8
 
JS Fest 2019 Node.js Antipatterns
JS Fest 2019 Node.js AntipatternsJS Fest 2019 Node.js Antipatterns
JS Fest 2019 Node.js AntipatternsTimur Shemsedinov
 
A Deep Dive into Structured Streaming in Apache Spark
A Deep Dive into Structured Streaming in Apache Spark A Deep Dive into Structured Streaming in Apache Spark
A Deep Dive into Structured Streaming in Apache Spark Anyscale
 
code for quiz in my sql
code for quiz in my sql code for quiz in my sql
code for quiz in my sql JOYITAKUNDU1
 
Kafka Summit NYC 2017 - Easy, Scalable, Fault-tolerant Stream Processing with...
Kafka Summit NYC 2017 - Easy, Scalable, Fault-tolerant Stream Processing with...Kafka Summit NYC 2017 - Easy, Scalable, Fault-tolerant Stream Processing with...
Kafka Summit NYC 2017 - Easy, Scalable, Fault-tolerant Stream Processing with...confluent
 
Imugi: Compiler made with Python
Imugi: Compiler made with PythonImugi: Compiler made with Python
Imugi: Compiler made with PythonHan Lee
 
Not sure why my program wont run.Programmer S.Villegas helper N.pdf
Not sure why my program wont run.Programmer S.Villegas helper N.pdfNot sure why my program wont run.Programmer S.Villegas helper N.pdf
Not sure why my program wont run.Programmer S.Villegas helper N.pdfwasemanivytreenrco51
 
Cnam azure 2014 mobile services
Cnam azure 2014 mobile servicesCnam azure 2014 mobile services
Cnam azure 2014 mobile servicesAymeric Weinbach
 
MultiClient chatting berbasis gambar
MultiClient chatting berbasis gambarMultiClient chatting berbasis gambar
MultiClient chatting berbasis gambaryoyomay93
 
Embedded Typesafe Domain Specific Languages for Java
Embedded Typesafe Domain Specific Languages for JavaEmbedded Typesafe Domain Specific Languages for Java
Embedded Typesafe Domain Specific Languages for JavaJevgeni Kabanov
 
Laporan multiclient chatting berbasis grafis (gambar)
Laporan multiclient chatting berbasis grafis (gambar)Laporan multiclient chatting berbasis grafis (gambar)
Laporan multiclient chatting berbasis grafis (gambar)Rara Ariesta
 
Java Question---------------------------FacebookApp(Main).jav.pdf
Java Question---------------------------FacebookApp(Main).jav.pdfJava Question---------------------------FacebookApp(Main).jav.pdf
Java Question---------------------------FacebookApp(Main).jav.pdfambersushil
 

Similar to CEP for security event correlation and detection with CorReactive (20)

Powering Heap With PostgreSQL And CitusDB (PGConf Silicon Valley 2015)
Powering Heap With PostgreSQL And CitusDB (PGConf Silicon Valley 2015)Powering Heap With PostgreSQL And CitusDB (PGConf Silicon Valley 2015)
Powering Heap With PostgreSQL And CitusDB (PGConf Silicon Valley 2015)
 
Quest 1 define a class batsman with the following specifications
Quest 1 define a class batsman with the following specificationsQuest 1 define a class batsman with the following specifications
Quest 1 define a class batsman with the following specifications
 
dSS API by example
dSS API by exampledSS API by example
dSS API by example
 
JAVA.pdf
JAVA.pdfJAVA.pdf
JAVA.pdf
 
JSON Schema: Your API's Secret Weapon
JSON Schema: Your API's Secret WeaponJSON Schema: Your API's Secret Weapon
JSON Schema: Your API's Secret Weapon
 
Implementing Software Machines in Go and C
Implementing Software Machines in Go and CImplementing Software Machines in Go and C
Implementing Software Machines in Go and C
 
07-Basic-Input-Output.ppt
07-Basic-Input-Output.ppt07-Basic-Input-Output.ppt
07-Basic-Input-Output.ppt
 
Multi client
Multi clientMulti client
Multi client
 
JS Fest 2019 Node.js Antipatterns
JS Fest 2019 Node.js AntipatternsJS Fest 2019 Node.js Antipatterns
JS Fest 2019 Node.js Antipatterns
 
A Deep Dive into Structured Streaming in Apache Spark
A Deep Dive into Structured Streaming in Apache Spark A Deep Dive into Structured Streaming in Apache Spark
A Deep Dive into Structured Streaming in Apache Spark
 
code for quiz in my sql
code for quiz in my sql code for quiz in my sql
code for quiz in my sql
 
Kafka Summit NYC 2017 - Easy, Scalable, Fault-tolerant Stream Processing with...
Kafka Summit NYC 2017 - Easy, Scalable, Fault-tolerant Stream Processing with...Kafka Summit NYC 2017 - Easy, Scalable, Fault-tolerant Stream Processing with...
Kafka Summit NYC 2017 - Easy, Scalable, Fault-tolerant Stream Processing with...
 
Imugi: Compiler made with Python
Imugi: Compiler made with PythonImugi: Compiler made with Python
Imugi: Compiler made with Python
 
Not sure why my program wont run.Programmer S.Villegas helper N.pdf
Not sure why my program wont run.Programmer S.Villegas helper N.pdfNot sure why my program wont run.Programmer S.Villegas helper N.pdf
Not sure why my program wont run.Programmer S.Villegas helper N.pdf
 
Cnam azure 2014 mobile services
Cnam azure 2014 mobile servicesCnam azure 2014 mobile services
Cnam azure 2014 mobile services
 
MultiClient chatting berbasis gambar
MultiClient chatting berbasis gambarMultiClient chatting berbasis gambar
MultiClient chatting berbasis gambar
 
3 database-jdbc(1)
3 database-jdbc(1)3 database-jdbc(1)
3 database-jdbc(1)
 
Embedded Typesafe Domain Specific Languages for Java
Embedded Typesafe Domain Specific Languages for JavaEmbedded Typesafe Domain Specific Languages for Java
Embedded Typesafe Domain Specific Languages for Java
 
Laporan multiclient chatting berbasis grafis (gambar)
Laporan multiclient chatting berbasis grafis (gambar)Laporan multiclient chatting berbasis grafis (gambar)
Laporan multiclient chatting berbasis grafis (gambar)
 
Java Question---------------------------FacebookApp(Main).jav.pdf
Java Question---------------------------FacebookApp(Main).jav.pdfJava Question---------------------------FacebookApp(Main).jav.pdf
Java Question---------------------------FacebookApp(Main).jav.pdf
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 

CEP for security event correlation and detection with CorReactive

  • 1. Security events correlation with Nikolay Klendar bsploit gmail.com
  • 2. Complex Event Processing (correlation) * - is event processing that combines data from multiple sourcesto infer events or patterns that suggest more complicated circumstances. INTRO *Wikipedia
  • 3. Library used for development Java, .NET Processes event STREAMS of predefined types. Esper does not parse events! Processing rules (correlation rules) are defined with Event Processing Language (EPL) similar to SQL
  • 4. Network scan detection Type event: timestamp:string type: string src_ip: string dst_ip: string src_port:int dst_port: int bytes_sent: int bytes_recieved: int login: string Allowed monitoring systmes Annotation All dst_ip within 30 sec @Name('Scan') SELECT src_ip,window(dst_ip) FROM event (type='firewall' AND src_ip NOT IN ('10.0.0.1','10.0.0.2') ).win:time(30 sec) /*sliding time window*/ GROUP BY src_ip HAVING count(distinct dst_ip) > 50 output first every 1 hour /*1 event per hour*/
  • 5. Worm spreading detection INSERT INTO scanning SELECT src_ip,window(dst_ip) targets FROM event().win:time(10 min).std:unique(dst_ip) GROUP BY src_ip HAVING count(distinct dst_ip)>50; { src_ip='10.0.0.1', targets=['192.168.0.1', '192.168.0.2',…,'192.168.0.254']} { src_ip='192.168.0.2', targets=['192.167.0.1','192.167.0 .2',…,'192.167.0.254']} @Name('warm_spreading') SELECT a.src_ip,b.src_ip,b.targets FROM pattern[ every a=scanning -> b=scanning ( b.src_ip!=a.src_ip AND Arrays.asList(a.targets).contains(b.src_ip) ) WHERE timer:within(1 min) ]; {a.src_ip='10.0.0.1', b.src_ip='192.168.0.2', b.targets=[' 192.167.0.2 ',…, '192.167.0.2 ',' 192.167.0.2 ']}
  • 6. Money laundering detection @Name('obnal') SELECT a.transaction,a.clientid,a.amount income, c.sumOf(i=>i.amount)+b.amount total FROM PATTERN[ EVERY a=event(transaction like 'card_income') -> b=event(b.clientid=a.clientid AND transaction = 'card_outcome') WHERE timer:within(3 hour) -> ( [3: ] c=event(c.clientid=a.clientid AND transaction = 'card_outcome' ) until timer:interval(20 min) ) ] Total money transferred to card Total outcome
  • 7. Join & enrichment SELECT S.src_ip, S.targets, L.login,L.last_seen FROM scanning.std:lastevent() as S LEFT OUTER JOIN LoginsIP L on L.ip = S.src_ip GROUP BY S.src_ip output first every 1 hour; CREATE WINDOW LoginsIP.std:unique(ip) as (ip string, login string, last_seen string); INSRT INTO LoginsIP SELECT src_ip as ip, login.toLowerCase() as login, timestamp as last_seen FROM Event( type='windows' AND eventid='4624' AND src_ip IS NOT NULL AND login IS NOT NULL AND login!='ANONYMOUS LOGON' AND login NOT LIKE '%$' ); { S.src_ip='10.0.0.1', L.login='ivanov', L.last_seen='17.11.2015 12:00:00' S.targets=[' 192.167.0.2 ',…, '192.167.0.2 ',' 192.167.0.2 '] }
  • 8. Integration with external sources SELECT src_ip from event(type='firewall') as fw, SQL:mysql ['select tornode_ip from tor_nodes'] as tor where fw.src_ip=tor.tornode_ip
  • 10. Building user profile create window loginProfileASN.win:keepall() (login string,param string,value string,v_count long) create window loginProfileTotal.win:keepall() (login string,param string,total long) ON EVENT() e MERGE loginProfileASN p where p.login=e.login and p.value=(e.geoip('asn')).toString() when not matched then insert select login,'ASN' param, geoip('asn') value,1L v_count when matched then update set p.v_count = p.v_count+1 ON EVENT() e MERGE loginProfileTotal p where p.login=e.login when not matched then insert select login,'ASN' param, 1L total when matched then update set p.total = p.total+1
  • 11. Deviation from profile SELECT e.login,e.geoip('asn') asn, e.src_ip, v.v_count count,t.total, cast((100-100*v.v_count/t.total),int) score FROM event().std:lastevent() e, loginProfileASN v, loginProfileTotal t where v.login=e.login and v.value=(e.geoip('asn')).toString() and t.login = e.login and (100-100*v.v_count/t.total)>97
  • 12. CorReactive and integration with ELK Logstash config output { redis { host => "127.0.0.1" db => 0 data_type => "list " batch => true batch_events=>500 key => "events” codec => json } } CorReactive config Collect events "inputs":[ { "type": "redis", "config":{ "host": "localhost", "port": 6379, "db": 0, "queue":"events", "batch_count":500, "reconnect_timeout":60 } } ] CorReactive config Return alerts "outputs":[ { "type":"redis", "id":1, "config":{ "host": "localhost", "queue":"alerts", "port": 6379, "db": 0, "reconnect_timeout":60, "batch_count" :1 } } ]
  • 13. CorReactive configuration steps 1. conf/types: Extend base event type “event”, add new fields 2. conf/modules: Add new EPL modules (correlation rules) If one module depends on another use special directive: uses dependent_module; http://goo.gl/9pvlIj 3. Configure inputs and outputs
  • 14. CorReactive special annotations Alert generation to output channel @Alert(name='newalert',outID=1) Save data from named window to disk every 5 minutes. Saved data is automatically restored to named window during loading stage @Persist Named window data reloading every 5 minutes from csv file located in var/winload @Load(file="data.csv",format="csv",delim="; ") Dynamically alert enrichment with data from external command output or on demand query. Enrichment of enrichment is supported. @Enrich(dst="eLogin",type="window", param="select src_ip from loginip where login='%{login}'") @Enrich(dst="nsresult",type="cmd",param="nslookup %{eLogin}")
  • 16. REST API Send event in JSON format POST /api/events View all registered modules GET /api/modules/registered View all registered Esper statements or queries GET api/modules/statements Reload data in named window POST /api/window/reload/{moduleName}/{winName} Deploy all modules POST api/modules/deploy Module deletion DELETE /api/modules Module syntax validation POST api/modules/validate Do on demand query POST /api/query
  • 17. Links Esper docs http://www.espertech.com/esper/documentation.php Solution patterns with description http://www.espertech.com/esper/solution_patterns.php EPL editor and debugger http://esper-epl-tryout.appspot.com/epltryout/mainform.html CorReactive engine (special for ZeroNights 2015) http://correactive.sourceforge.net/