Stream computing for large-scale, multi-channel cyber threat analytics

Abstract

The cyber threat landscape, controlled by organized crime and nation states, is evolving rapidly towards evasive, multi-channel attacks, as impressively shown by malicious operations such as GhostNet, Aurora, Stuxnet, Night Dragon, or APT1. As threats blend across diverse data channels, their detection requires scalable distributed monitoring and cross-correlation with a substantial amount of contextual information. With threats evolving more rapidly, the classical defense life cycle of post-mortem detection, analysis, and signature creation becomes less effective. In this paper, we present a highly-scalable, dynamic cybersecurity analytics platform extensible at runtime. It is specifically designed and implemented to deliver generic capabilities as a basis for future cybersecurity analytics that effectively detect threats across multiple data channels while recording relevant context information, and that support automated learning and mining for new and evolving malware behaviors. Our implementation is based on stream computing middleware that has proven high scalability, and that enables cross-correlation and analysis of millions of events per second with millisecond latency. We report the lessons we have learned from applying stream computing to monitoring malicious activity across multiple data channels (e.g., DNS, NetFlow, ARP, DHCP, HTTP) in a production network of about fifteen thousand nodes.