Method of finding the minimum number of sources of indicators of compromise to cover the maximum set

Sydorenko, Kateryna

January 2023

Background. With the increasing demand for cybersecurity, there is a growing interest in understanding cyber-attack surfaces and vectors. Security Operation Centers (SOCs) play a crucial role in defensive cybersecurity, and Security Informationand Event Management (SIEM) systems are used to monitor and analyze the security status of computer systems. However, SIEM systems face challenges such asdata overload and the need for effective data selection.Objectives. This research aims to develop a method for reducing the number ofsets of Indicators of Compromise (IOCs) processed by SIEM systems while maintaining maximum coverage. The objectives include conducting a literature review onIOCs processing and data reduction, preparing data from the Open Threat Exchange(OTX) platform, developing a method for minimizing IOCs sets, and evaluating theeffectiveness of the proposed solution.Methods. The evaluation of the methods is performed numerically using a FuzzyTable. The research also involves developing a mathematical model that describesthe relationships between different types of IOCs and the possibility of various representations for the same object. The model takes into account weight assignmentto each indicator. Software implementation is carried out. The effectiveness of thedeveloped method is evaluated using metrics such as the coverage of the initial setof IOCs and the data reduction rateResults. Unfortunately, none of the methods fully met all the criteria. Fuzzy logicwas selected as the decision-making approach. A mathematical data model was developed to represent IOCs and associated pulses as sets. Dependencies were described tofilter out duplicate indicators. Implementation was done using the Python programming language. Three algorithms were implemented: Set cover problem, Weightedcoverage maximization, and Budget cover problem. Tests were conducted on theentire data set and subsets to analyze performance. The number of IOCs decreasedfrom 4115 to 3341, representing a reduction of 25.5% to 93% according to the Totaldata reduction metric. Conclusions. Overall, the developed method reduced information and minimizedindicator sources, offering a valuable approach for reducing data in IOC processing.

Indicator of Compromise

Set Cover Problem

Maximum Coverage

Open Threat Exchange

Computer Sciences

Datavetenskap (datalogi)

Understanding the behaviour of  IOCs during their lifecycle

Godavarti, Navya sree, Modali, Sivani

January 2022

An indicator of compromise is a digital artefact that detects data compromise. They sense the compromise happening, trace the intrusion and collect data. This data includes breached data and the address. All indicators have a limited period of a lifetime, in which these work the best time in their peak. Once the indicator starts decaying, then its performance of it deteriorates. Meaning there is an increase in false alarms of compromise. The most influential parameters in the performance of an IOC are related pulse, alerts, file score and IDS. These parameters influence both the working and decay of an indicator. But the relation between these is unknown; therefore, this thesis investigates the nature of the correlation between these parameters. Evaluating an IOC and its performance or decay is essential as these determine the quality of an indicator known as confidence in cybersecurity. In cybersecurity management, confidence (quality) is crucial in preventing or detecting threats. By understanding IOC's performance and decay, we can determine its confidence level. There has been a model generated to find confidence levels, and this thesis aims to improve those models. Here, the thesis proposes a case study to find the relation between parameters and use the findings in making an improved model finding confidence level.

Indicator of compromise (IOC)

Cybersecurity

Confidence level of IOC.

Elektroteknik och elektronik

Improving the precision of an Intrusion Detection System using Indicators of Compromise : - a proof of concept -

Lejonqvist, Gisela, Larsson, Oskar

January 2018

The goal of this research is to improve an IDS so that the percentage of true positives is high, an organisation can cut time and cost and use its resources in a more optimal way. This research goal was to prove that the precision of an intrusion detection system (IDS), in terms of producing lower rate of false positives or higher rate of true alerts, can be achieved by parsing indicators of compromise (IOC) to gather information, that combined with system-specific knowledge will be a solid base for manual fine-tuning of IDS-rules. The methodology used is Design Science Research Methodology (DSRM) because it is used for research that aims to answer an existing problem with a new or improved solution. A part of that solution is a proposed process for tuning of an arbitrary intrusion detection system. The implemented and formalized process Tuned Intrusion Detection System (TIDS) has been designed during this research work, aiding us in presenting and performing validation tests in a structured and robust way. The testbed consisted of a Windows 10 operating system and a NIDS implementation of Snort as an IDS. The work was experimental, evaluated and improved regarding IDS rules and tools over several iterations. With the use of recorded data traffic from the public dataset CTU-13, the difference between the use of tuned versus un-tuned rules in an IDS was presented in terms of precision of the alerts created by the IDS. Our contributions were that the concept holds; the precision can be improved by adding custom rules based on known parameters in the network and features of the network traffic and disabling rules that were out of scope. The second contribution is the TIDS process, as designed during the thesis work, serving us well during the process.

Intrusion Detection System

Indicator Of Compromise

False Positives

Snort

Elektroteknik och elektronik

Sběr indikátorů kompromitace z operačních systémů / Collecting Indicators of Compromise from Operating Systems

Procházka, Jiří

January 2019

Focus of this thesis is on the design and implementation of an application for gathering indicators of compromise from the systems. In the thesis, there is an introduction to the term indicator of compromise and description of commonly used categories. Next, there is a summary of existing tools with a similar focus. In the thesis, there is a list of some existing formats for sharing of indicators of compromise and selection of format which resulting application uses. After the implementation, application was tested both locally and on infrastructure of cyber exercise.