Security/Automation/Winter Of Security 2015/MIG: Cross-platform log monitoring for threat detection
Contents
Team
Introduction
<to be filled in by the team>
Members
- Rabimba Karanjai
- Professor Dan Wallach
- Mozilla Advisor: Julien Vehent and Aaron Meihm
Project
Description
Mozilla InvestiGator (MIG) is a digital forensics platform used by Mozilla to monitor the security of servers. MIG deploys an agent on systems that is used to maintain the security of the infrastructure. The goal of this project is to add a log monitoring component to the MIG agent to continuously read the logs of a system and trigger alerts on specific patterns (string matching, repeated message within a sliding window, etc...). The log monitoring component must be built in the Go language and must support Linux, MacOS and Windows log analysis. Beyond basic log monitoring, a successful team will be encouraged to evaluate heuristic based threat detection, and how groups of agents can be used together to identify unusual behaviors.
Success Criteria
This project is successful if it provides a Go module that can be integrated into MIG to perform log monitoring of endpoints and detection of fraudulent activity. The primary target operating system is Linux, but Windows, MacOS, IOS and Android should also be considered. Additionally, the module should be generic enough to be portable to other log pipelines, such as Heka.
Updates
Week Ending 2015-10-08
<to be filled in by the team>
Will update all the other week details
Week Ending 2015-10-15
- Study Results*
- Create a feature extractor on the ssh logs you gave
- Do a K-means clustering on them
- Initially manually tag labels on them
Week Ending 2015-10-29
- Parsed initial logs using two different naive methods. Just to see how we can classify them. In Python
- Separate modular creation of random forest algorithm. In GO
