Please use this identifier to cite or link to this item:
Title: Automated detection testing – to integrate automated attack simulation and triaging with the right event logs
Authors: TAM, HOI CHON(譚凱竣)
Department: Department of Computer and Information Science
Faculty: Faculty of Science and Technology
Issue Date: May-2023
Citation: Tam, H. C. (2023). Automated detection testing – to integrate automated attack simulation and triaging with the right event logs(Outstanding Academic Papers by Students (OAPS)). Retrieved from University of Macau, Outstanding Academic Papers by Students Repository.
Abstract: In this decade, the concern and impact of malicious attacks is growing, since the occurrence of malicious incidents are more frequently happened and easier to operate. Many companies and organizations are putting more effort on protecting their assets in cyberspace, causing more investigation and analysis in the security field is needed, no matter in Red Team or Blue Team. The project aims to provide a solution to automate the detection of adversary activity, based on event logs and correlation between them. It is an enhancement on a traditional SIEM architecture to help security analysts work effectively and efficiently. The project provides a way to do automated attack simulation on selected machines, attack tests are referenced from Atomic Red Team, which is based on MITRE's ATT&CK framework. The platform we used to collect logs on the target machine for analysis and display in the dashboard is Wazuh, which is a security monitoring solution used to collect event logs and detect malicious activity, then trigger alerts of suspicious events based on default or custom detection rules written in Wazuh. Therefore, the project can be mainly separated into two sections, one is the program that does automated simulation and displays the triggered alerts, after the writing of the Wazuh detection rules. Another section is the visualization of the events in an interactive graph, which provides intelligence on detecting a real cyberattack by correlating event logs in the graph, while the application also provides a way for the user to specify the correlation rule to correlate the events as the user wants. There are more than one hundred Wazuh custom rules developed by us to trigger the attack simulation, these are all XML according to the Wazuh rule syntax. The auto attack and detection program would be written in Python, it is used to connect to the target machine by socket to do command execution of our attack, then connect to Wazuh by Elasticsearch API to collect the event logs or alerts. While the web application used to display the alerted event logs and correlation is written in HTML, CSS, and Javascript, and relies on GoJS to create the graph of correlation. Due to the scope of our project, our main focus on creating attack cases and detection rules would be only on Linux machines, so Windows or Mac machines are not included in our project. The employees in PwC will at last use our applications to assist them in daily tasks.
Instructor: Prof. Yibo Bob ZHANG
Programme: Bachelor of Science in Computer Science
Appears in Collections:FST OAPS 2023

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.