Loading...
Publication
SIMPLE LOG ANALYSIS AND ALARMI STIC WITH MACHINE LEARNING
| Name: | Description: | Size: | Format: | |
|---|---|---|---|---|
| 1.31 MB | Adobe PDF |
Authors
Advisor(s)
Abstract(s)
A monitorização e análise de logs assumem um papel fundamental na Cibersegurança,
constituindo a principal fonte de informação para a deteção, investigação
e prevenção de incidentes. Contudo, a crescente complexidade das infraestruturas
tecnológicas, juntamente com o volume e diversidade dos registos gerados, torna esta
tarefa exigente, frequentemente associada a elevados custos técnicos e financeiros.
Embora existam soluções robustas no mercado, estas revelam-se por vezes desajustadas
à realidade de pequenas e médias empresas, que não dispõem de equipas
especializadas nem de recursos económicos para manter este tipo de plataformas.
O principal objetivo deste projeto consistiu, assim, no desenvolvimento de uma
solução simples em termos de funcionalidades e de fácil instalação, que permita a
qualquer instituição realizar a análise de logs de forma contínua e gerar alertas automáticos
de eventos alarmantes. Para isso, foi concebido um protótipo demonstrativo
que integra a recolha de registos, o seu tratamento e enriquecimento com dados
contextuais e a aplicação de regras de análise baseadas em frequência, semântica e
correlação.
Os resultados obtidos confirmaram a viabilidade do sistema, permitindo identificar
comportamentos suspeitos em logs Apache e de autenticação, tais como tentativas
de brute force, exploração de diretórios administrativos, acessos repetitivos e correlações
entre falhas de login seguidas de autenticações bem-sucedidas. A análise de
reputação e geolocalização de endereços IP contribuiu para uma contextualização
mais completa, elevando a precisão na classificação de alertas.
Log monitoring and analysis play a fundamental role in Cybersecurity, representing a primary source of information for the detection, investigation, and prevention of incidents. However, the increasing complexity of technological infrastructures, together with the growing volume and diversity of generated records, makes this task highly demanding and often associated with significant technical and financial costs. Although robust solutions are available on the market, they are frequently unsuited to the reality of small and medium-sized enterprises, which typically lack specialized teams or the financial resources to maintain such platforms. The main objective of this project was therefore the development of a solution that is simple in terms of functionality and easy to install, enabling any institution to perform continuous log analysis and automatically generate alerts for alarming events. To achieve this, a demonstrative prototype was designed that integrates log collection, processing and enrichment with contextual data, as well as the application of analysis rules based on frequency, semantics, and correlation. The results obtained confirmed the feasibility of the proposed system, allowing the identification of suspicious behaviors in Apache and authentication logs, such as brute force attempts, administrative directory exploration, repetitive access patterns, and correlations between failed logins followed by successful authentications. The integration of IP reputation and geolocation data further enhanced the contextual analysis, improving the accuracy of alert classification.
Log monitoring and analysis play a fundamental role in Cybersecurity, representing a primary source of information for the detection, investigation, and prevention of incidents. However, the increasing complexity of technological infrastructures, together with the growing volume and diversity of generated records, makes this task highly demanding and often associated with significant technical and financial costs. Although robust solutions are available on the market, they are frequently unsuited to the reality of small and medium-sized enterprises, which typically lack specialized teams or the financial resources to maintain such platforms. The main objective of this project was therefore the development of a solution that is simple in terms of functionality and easy to install, enabling any institution to perform continuous log analysis and automatically generate alerts for alarming events. To achieve this, a demonstrative prototype was designed that integrates log collection, processing and enrichment with contextual data, as well as the application of analysis rules based on frequency, semantics, and correlation. The results obtained confirmed the feasibility of the proposed system, allowing the identification of suspicious behaviors in Apache and authentication logs, such as brute force attempts, administrative directory exploration, repetitive access patterns, and correlations between failed logins followed by successful authentications. The integration of IP reputation and geolocation data further enhanced the contextual analysis, improving the accuracy of alert classification.
Description
Keywords
Engenharia informática Cibersegurança nas Empresas Empresas Logs Dispositivos IoT