Files
Download Full Text (1.9 MB)
Abstract
As servers move to the cloud, sources for security analysis become more limited. Security teams must make the most of the resources available to them. Our project attempts to fulfill this need by providing a template-based application to analyze and detect security events in logs that are available in cloud environments. We focus on authentication logs, but analysis modules can be added to flag anomalies in any log.
The deliverables include log analysis, including successive repeated failures, location-based anomalies, and excessive failed login attempts across multiple accounts. To present our findings we output the results to a web interface for further analysis by a security team.
Our project was limited by time, knowledge, available hardware and log sources. Under these constraints we developed a server-based solution that analyzes authentication logs and presents the data in an easily understood format.
An authentication data log for a large organization can contain millions of events. To narrow down the large volume of information into a manageable number of interesting events, we analyzed the data-based on a set of our proposed criteria. The information that results from the analysis is easily read and used for further investigation into possible malicious behavior.
The market impact of a comprehensive security engine capable of analyzing large amounts of seemingly unconnected data and reducing them into only the interesting entries would be significant. It would save security teams time, improve the incident detection efficiency, and help focus efforts and funds where they are needed most.
Publication Date
2016
Keywords
Computer engineering, anomaly, cloud, log, security
Disciplines
Computer Engineering | Engineering
Faculty Advisor/Mentor
Carol Fung
Faculty Advisor/Mentor
Randy Harris
VCU Capstone Design Expo Posters
Rights
© The Author(s)
Date of Submission
August 2016