WO2020190294A1 - Security personnel training using automatic log creation resulting from white hacking - Google Patents

Security personnel training using automatic log creation resulting from white hacking Download PDF

Info

Publication number
WO2020190294A1
WO2020190294A1 PCT/US2019/023280 US2019023280W WO2020190294A1 WO 2020190294 A1 WO2020190294 A1 WO 2020190294A1 US 2019023280 W US2019023280 W US 2019023280W WO 2020190294 A1 WO2020190294 A1 WO 2020190294A1
Authority
WO
WIPO (PCT)
Prior art keywords
logs
security
security personnel
white
generated
Prior art date
Application number
PCT/US2019/023280
Other languages
French (fr)
Inventor
Shmuel Ur
Ran LEHR
Original Assignee
Xinova, LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xinova, LLC filed Critical Xinova, LLC
Priority to PCT/US2019/023280 priority Critical patent/WO2020190294A1/en
Publication of WO2020190294A1 publication Critical patent/WO2020190294A1/en

Links

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09BEDUCATIONAL OR DEMONSTRATION APPLIANCES; APPLIANCES FOR TEACHING, OR COMMUNICATING WITH, THE BLIND, DEAF OR MUTE; MODELS; PLANETARIA; GLOBES; MAPS; DIAGRAMS
    • G09B7/00Electrically-operated teaching apparatus or devices working with questions and answers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user

Definitions

  • a cyber-attack is any type of offensive action that targets computer information systems, infrastructures, computer networks or personal computer devices, using various methods to steal, alter, or destroy data or information systems.
  • a cyber-attack is any type of offensive action that targets computer information systems, infrastructures, computer networks or personal computer devices, using various methods to steal, alter, or destroy data or information systems.
  • a cyber-attack is any type of offensive action that targets computer information systems, infrastructures, computer networks or personal computer devices, using various methods to steal, alter, or destroy data or information systems.
  • a cyber-attacks In today’s highly networked and computerized environment, a large number of systems deal with an even larger number of threats every day.
  • variety and complexity of solutions increases too making it more difficult for some systems to protect themselves.
  • One of the first lines of defense against cyber-attacks is detecting an attack as it happens.
  • An entire industry is dedicated to monitoring events happening in organizations and finding suspicious ones.
  • a typical approach includes monitoring logs of events and finding suspicious behavior.
  • logs of events may be collected.
  • the logs may be very large, and therefore, generally not machine readable.
  • a number of different tools may be employed to analyze the logs and generate a summary for a security personnel to review. Even if redundant and/or irrelevant data is removed in the summary, insufficiently trained security personnel may miss signs of an attack among the large amount of data they typically review.
  • the present disclosure generally describes techniques for security personnel training through automatic log creation resulting from white hacking.
  • An example method may include capturing one or more activities associated with a white hacker attack; generating one or more logs from the captured one or more activities; combining the generated one or more logs with a plurality of security logs; providing the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack; receiving an identification of the white hacker attack from the security personnel; and confirming that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
  • An example computing device may include a communication device configured to communicate with a plurality of components of a protected network; a memory configured to store instructions; and a processor coupled to the communication device and the memory.
  • the processor in conjunction with the instructions stored on the memory, may be configured to receive captured one or more activities associated with a white hacker attack; generate one or more logs from the captured one or more activities; combine the generated one or more logs with a plurality of security logs; provide the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack; receive an identification of the white hacker attack from the security personnel; and confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
  • An example system may include a first protected network component, a second protected network component, and a third protected network component.
  • the first protected network component may be configured to generate a plurality of security logs.
  • the second protected network component may be configured to receive the plurality of security logs from the first protected network component; receive captured one or more activities associated with a white hacker attack; generate one or more logs from the received one or more activities; combine the plurality of security logs with the generated one or more logs; and mark one or more portions of the combined logs to indicate locations of the generated one or more logs.
  • the third protected network component may be configured to receive the combined logs from the second protected network component; provide the combined logs to a security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack, where the marked one or more portions of the combined logs are undetectable to the security personnel; receive an identification of the white hacker attack from the security personnel; and confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
  • FIG. 1 includes a conceptual illustration of a protected network where logs based on real or fake attacks may be used to train security personnel;
  • FIG. 2 includes a conceptual illustration of combination of real, fake, and white hacker attacks to train security personnel
  • FIGS. 3A through 3C include conceptual illustrations of different configurations for combination of white hacker attack generated logs with other logs to train security personnel;
  • FIG. 4 includes an illustration of major components in combination of white hacker attack generated logs with other logs to train security personnel
  • FIG. 5 illustrates a computing device, which may be used to manage combination of real, fake, and white hacker attacks to train security personnel;
  • FIG. 6 is a flow diagram illustrating an example method to combine real, fake, and white hacker attacks to train security personnel that may be performed by a computing device such as the computing device in FIG. 5; and
  • FIG. 7 illustrates a block diagram of an example computer program product, some of which are arranged in accordance with at least some embodiments described herein.
  • This disclosure is generally drawn, inter alia , to methods, apparatus, systems, devices, and/or computer program products related to security personnel training through automatic log creation resulting from white hacking.
  • security personnel training may be supplemented by capturing one or more activities associated with a white hacker attack, generating one or more logs from the captured one or more activities, and combining the generated one or more logs with a plurality of security logs.
  • the combined logs may be provided for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack.
  • An identification of the white hacker attack may be received from the security personnel and the identification of the white hacker attack may be confirmed as correct by comparing tagged logs by the security personnel to the generated one or more logs.
  • FIG. 1 includes a conceptual illustration of a protected network where logs based on real or fake attacks may be used to train security personnel, in accordance with at least some embodiments described herein.
  • Diagram 100 shows an example protected network with example components. Networks (or computer systems) may be of any size and include a variety of types and numbers of components including sub-networks. The example protected network in diagram 100 may communicate with other networks and devices represented by external networks 102 through a switch 104. A firewall device 106 may provide first line of protection for the protected network against external attacks.
  • the protected network may include a number of generic or special purpose components such as server 108, router 110, bridge 112, and sub-network 120.
  • Server 114, computer 116, printer 118, and similar devices may be connected to the protected network through sub-network 120.
  • Other example components may include server farm 124, database server 122, wireless bridge 126, and user devices 130, which may connect to the protected network wirelessly (128) through the wireless bridge 126.
  • An administrative server 132 may be configured to manage security operations detecting events and data exchanges through the external networks 102, switch 104, and firewall 106.
  • the administrative server 132 may employ various threat detection tools 134 and also provide logs to a security personnel 138 for training.
  • the security personnel 138 may connect to the administrative server 132 through a computing device 136 to oversee the security operations, analyze reports, and perform other tasks.
  • a white hacker attack 101 is launched against the protected network, it may take many different forms and affect different components.
  • the administrative server 132 may capture one or more activities associated with the white hacker attack 101, generate one or more logs from the captured one or more activities, and combine the generated one or more logs with a plurality of security logs.
  • the combined logs may be used for training of the security personnel 138 such that the security personnel 138 is capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack 101.
  • An identification of the white hacker attack 101 may be received from the security personnel 138 and the identification of the white hacker attack 101 may be confirmed as correct by comparing tagged logs by the security personnel 138 to the generated one or more logs.
  • a typical approach in defending an organization against cyber-attacks includes monitoring logs of events and finding suspicious behavior.
  • logs of events may be collected.
  • the logs may be very large, and therefore, generally not machine readable.
  • a number of different tools may be employed to analyze the logs and generate a summary for a security personnel to review. Even if redundant and/or irrelevant data is removed in the summary, an efficiency of security personnel in detecting attacks can be increased through education and repeated training.
  • logs generated from such planned attacks may be mixed with regular security logs and used to train security personnel.
  • white hacker attack logs may also be varied in different aspects to enhance the training.
  • Various components of the example protected network may communicate over wired or wireless links in a number of topographic configurations. Any number of
  • Some components may be purely hardware, other components may be implemented as purely software. Yet other components may be embodied as a combination of hardware and software.
  • the example components and configurations described herein are for illustration purposes only and are not intended to provide limitation on embodiments.
  • FIG. 2 includes a conceptual illustration of combination of real, fake, and white hacker attacks to train security personnel, arranged in accordance with at least some
  • Diagram 200 shows how different sources can be combined to create training material for a security personnel 230.
  • a security monitoring system 202 may generate logs 204 from monitored security operations such as activities associated with a protected network.
  • the logs 204 may also include logs 206 of real attacks.
  • Fake attack logs 220 may be generated through a fake attack log generation process 218 from old real attacks 212, white hacker attacks 214, and fake attacks 216.
  • white hacker attacks 214 there may be a recording and feedback process 215, where activities associated with a white hacker attack are recorded and feedback is optionally provided to the white hacker regarding successful detection of their attacks.
  • the fake attack logs 220 may be combined with the logs 204 resulting in merged logs 222.
  • the merged logs 222 may include intermixed real attack logs 225 and fake attack logs 223A and 223B.
  • the fake attack logs 223A and 223B may be marked (224A and 224B) in an invisible manner to the security personnel 230 for a more realistic training.
  • the security monitoring system 202 may simply compare logs tagged by the security personnel 230 with the marked logs and confirm accuracy of the security personnel’s identification of attacks.
  • the merged logs may be processed, for example, summarized 226, and the summary of the merged logs 228 may be provided for the security personnel 230 for training.
  • Attacks that may be encountered by the protected network may include a denial-of- service (DoS) attack, a distributed denial-of-service (DDoS) attack, a man-in-the-middle (MitM) attack, a phishing attack, a spear phishing attack, a drive-by attack, a password attack, a sequential query language (SQL) injection attack, a cross-site scripting (XSS) attack, an eavesdropping attack, a birthday attack, a malware attack, or similar ones directed to the protected network.
  • DoS denial-of- service
  • DDoS distributed denial-of-service
  • MitM man-in-the-middle
  • phishing attack phishing attack
  • spear phishing attack a spear phishing attack
  • drive-by attack a password attack
  • SQL sequential query language
  • XSS cross-site scripting
  • a number of different tools may be employed to analyze the logs and generate a summary for a security personnel to review. Even if redundant and/or irrelevant data is removed in the summary, an efficiency of security personnel in detecting attacks can be increased through education and repeated training. The higher number of logs associated with attacks and higher variety of logs a security personnel is exposed to, the higher is the likelihood they will catch the next attack.
  • logs generated from such planned attacks may be mixed with regular security logs and used to train security personnel.
  • white hacker attack logs may also be varied in different aspects to enhance the training.
  • An event processing (“summarizing”) application that monitors attacks and outputs a human readable summary (e.g., text, graphs, etc.) for the security personnel to review may secretly mark any event created from log events that are created by a white hacker. The secret marks may not be visible, at first, to the security personnel. Thus, the security personnel may review a unified system of real data combined with the white hacker attack data. This way, the security personnel may be trained on finding attacks, while still being able to identify whether each event or log is real or not.
  • a security monitor system or a white hacker may execute a“recorder” application (e.g., a client machine and/or a proxy server which may be used to attack remote servers).
  • the “recorder” application may track events or activities associated with the white hacker attack to the protected network and the tracked data may be connected to the log generation. For example, when a white hacker is working (inside or outside the protected network), they may be working inside a shell connected to a log generation system such that any log of their work is marked as white hacker associated event. Other logs may be regarded as regular logs of the system. This may be especially relevant if the white hacker bypasses a normal tracking or authorization mechanism (e.g., when the white hacker takes the role of a root). Thus, the white hacker may be posing as an administrator, but the logs generated may still be attributed to the white hacker.
  • FIGS. 3A through 3C include conceptual illustrations of different configurations for combination of white hacker attack generated logs with other logs to train security personnel, arranged in accordance with at least some embodiments described herein.
  • a white hacker 301 may provide a white hacker attack in real time to the protected system 302 or stored white hacker attacks 306 may be provided on demand.
  • a server 310 may record activities associated with the white hacker attacks 306 and/or provide feedback (308) regarding identification of the attacks by a security personnel.
  • An administrative server 304 may manage security operations, for example detection and recording of security activities to generate logs.
  • the white hacker attack logs generated by the administrative server 304 may be provided to a server 316 configured to merge logs.
  • the server 316 may merge real activity logs (e.g., regular operation logs, real attack logs) with white hacker attack logs, old real attack logs 312, and/or fake attack logs 314.
  • a training server 330 may receive the merged logs from the server 316 and provide to the security personnel 338 through a client device 336, for example.
  • a new set of combined logs for training the security personnel may be generated by modifying one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
  • the one or more portions of the generated one or more logs may be modified by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack.
  • a new set of combined logs for training the security personnel may be generated by executing a script to modify one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
  • One or more dynamic attributes within the script may be replaced with a parameter and a value of the parameter may be inserted upon combination of the generated one or more logs with the plurality of security log events.
  • the combined logs may be summarized before being provided for security training by identifying one or more portions of the combined logs as irrelevant for the training of the security personnel and removing the one or more portions identified as irrelevant for the training of the security personnel.
  • the security logs may be summarized before being combined with the generated one or more logs by identifying one or more portions of the plurality of security logs as irrelevant for the training of the security personnel and removing the one or more portions identified as irrelevant for the training of the security personnel.
  • the summarized combined logs and the summarized security logs may then be provided for the training of the security personnel such that the security personnel is capable of distinguishing detections of real attacks and white hacker attacks.
  • an administrative server 324 may perform security monitoring operations, log generation, and recording and/or feedback (322) associated with the white hacker attacks 306.
  • the administrative server 324 may combine real logs 305, old real attack logs 312, and fake attack logs 314 with white hacker attack logs 306.
  • a training server 330 may receive the merged logs from the server 316 and provide to the security personnel 338 through a client device 336, for example.
  • one or more options for actions to be performed may be provided to the security personnel upon detection of an attack by the security personnel from the provided combined logs.
  • the confirmation of the correctness of the identification may also be provided to the security personnel or to a source of the white hacker attack.
  • the generated one or more logs may be combined with the plurality of security logs as the security logs are generated or subsequent to generation of the security logs.
  • One or more portions of the combined logs may be marked to indicate locations of the generated one or more logs, but the marked one or more portions of the combined logs may be undetectable to the security personnel for realistic training.
  • the security training may be provided for a human security personnel or an attack detection artificial intelligence (AI) module.
  • a computing device performing one or more of the actions described herein may be a component of a protected network that generates the plurality of security logs.
  • the computing device may also be a server outside of the protected network or a server configured to manage the security training.
  • the computing device may be a server, a router, a firewall device, a desktop computer, a vehicle mount computer, a laptop computer, or a special purpose network device.
  • the above discussed tasks of managing security operations; monitoring activities associated with the protected system 302; generation of logs; and combination of real logs 305, old real attack logs 312, fake attack logs 314, and white hacker attack logs 306 may be performed by the administrative server 334.
  • the administrative server 334 may also provide the combined logs to the security personnel 338 for training through a client device 336.
  • FIG. 4 includes an illustration of major components in combination of white hacker attack generated logs with other logs to train security personnel, arranged in accordance with at least some embodiments described herein.
  • Diagram 400 shows a white hacker 402 may provide white hacker attack 404 to the protected system 408. Activities associated with the white hacker attack 404 may be recorded (406) and provided to log generation 412, where white hacker attack logs 414 are generated based on the recorded activities.
  • the white hacker attack logs 414 may be combined with real logs 410 of activities from the protected system 408 (e.g., real attack logs) at log merger 416.
  • other attack logs 418 such as fake attack logs or old real attack logs may also be combined with the real logs 410 and white hacker attack logs 414.
  • the combine logs may be provided for training 420 of the security personnel 422.
  • the white hacker 402 may receive feedback 424 in form of recorded activities, responses from the protected system 408, and/or identification of the white hacker attack(s) by the security personnel 422 during training 420.
  • the raw logs may be too big for humans to go through.
  • the logs may be passed through a“summarizing” process, which may identify events of interest to the security personnel and potential threats using automated analysis tools (e.g., artificial intelligence algorithms).
  • the tools may not be able to identify which logs are created by the white hacker and which logs are not.
  • the output of the summarizing process may include actionable summaries that the security operators can review to identify attacks.
  • attack is real
  • options for different actions may be provided such as shutting down or isolating components or portions of the protected system, diverting the attack to a simulated deception network, etc.
  • the security operator may be allowed to check whether the attack is real only before taking an action in order to motivate the security personnel to pursue the attack source, regardless if the attack is real or not.
  • the summary process may be executed twice - once with white hacker attack logs combined with the real logs and once without the white hacker attack logs - in order to determine whether an attack identification is based on real attack log, white hacker attack log, or both.
  • white hacker attack logs may be hidden if a real attack is identified to help the security personnel focus on the real attack.
  • the protected system may include any software, firmware, or middleware executed by any component of the protected system, operating systems, as well as hardware components such as a router, a server, a firewall device, a peripheral device, a storage device, an internal network, a desktop computer, a laptop computer, a wearable computer, a vehicle mount computer, or a tablet device within the protected system.
  • hardware components such as a router, a server, a firewall device, a peripheral device, a storage device, an internal network, a desktop computer, a laptop computer, a wearable computer, a vehicle mount computer, or a tablet device within the protected system.
  • FIG. 5 illustrates a computing device, which may be used to manage combination of real, fake, and white hacker attacks to train security personnel, arranged in accordance with at least some embodiments described herein.
  • the computing device 500 may include one or more processors 504 and a system memory 506.
  • a memory bus 508 may be used to communicate between the processor 504 and the system memory 506.
  • the basic configuration 502 is illustrated in FIG. 5 by those components within the inner dashed line.
  • the processor 504 may be of any type, including but not limited to a microprocessor (mR), a microcontroller (pC), a digital signal processor (DSP), or any combination thereof.
  • the processor 504 may include one or more levels of caching, such as a cache memory 512, a processor core 514, and registers 516.
  • the example processor core 514 may include an arithmetic logic unit (ALU), a floating point unit (FPU), a digital signal processing core (DSP core), or any combination thereof.
  • An example memory controller 518 may also be used with the processor 504, or in some implementations, the memory controller 518 may be an internal part of the processor 504.
  • the system memory 506 may be of any type including but not limited to volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.) or any combination thereof.
  • the system memory 506 may include an operating system 520, a security management application 522, and program data 524.
  • the security management application 522 may include an attack recording module 526.
  • the attack recording module 526 in conjunction with the security management application 522 may be configured to capture or receive captured one or more activities associated with a white hacker attack and generate one or more logs from the captured one or more activities.
  • the generated one or more logs may be combined with a plurality of security logs, which may then be provided for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack.
  • the security management application 522 may receive an identification of the white hacker attack from the security personnel and confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
  • the program data 524 may include attack logs 528 such as a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, a permission modification, etc., among other data, as described herein.
  • the computing device 500 may have additional features or functionality, and additional interfaces to facilitate communications between the basic configuration 502 and any desired devices and interfaces.
  • a bus/interface controller 530 may be used to facilitate communications between the basic configuration 502 and one or more data storage devices 532 via a storage interface bus 534.
  • the data storage devices 532 may be one or more removable storage devices 536, one or more non-removable storage devices 538, or a
  • Examples of the removable storage and the non-removable storage devices include magnetic disk devices such as flexible disk drives and hard-disk drives (HDDs), optical disk drives such as compact disc (CD) drives or digital versatile disk (DVD) drives, solid state drives (SSDs), and tape drives to name a few.
  • Example computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.
  • the system memory 506, the removable storage devices 536 and the non-removable storage devices 538 are examples of computer storage media.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD- ROM, digital versatile disks (DVDs), solid state drives (SSDs), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by the computing device 500. Any such computer storage media may be part of the computing device 500.
  • the computing device 500 may also include an interface bus 540 for facilitating communication from various interface devices (e.g., one or more output devices 542, one or more peripheral interfaces 550, and one or more communication devices 560) to the basic configuration 502 via the bus/interface controller 530.
  • interface devices e.g., one or more output devices 542, one or more peripheral interfaces 550, and one or more communication devices 560
  • Some of the example output devices 542 include a graphics processing unit 544 and an audio processing unit 546, which may be configured to communicate to various external devices such as a display or speakers via one or more A/V ports 548.
  • One or more example peripheral interfaces 550 may include a serial interface controller 554 or a parallel interface controller 556, which may be configured to communicate with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device, etc.) or other peripheral devices (e.g., printer, scanner, etc.) via one or more EO ports 558.
  • An example communication device 560 includes a network controller 562, which may be arranged to facilitate communications with one or more other computing devices 566 over a network communication link via one or more communication ports 564.
  • the one or more other computing devices 566 may include servers at a datacenter, customer equipment, and comparable devices.
  • the network communication link may be one example of a communication media.
  • Communication media may be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media.
  • A“modulated data signal” may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
  • communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), microwave, infrared (IR) and other wireless media.
  • RF radio frequency
  • IR infrared
  • the term computer readable media as used herein may include non- transitory storage media.
  • the computing device 500 may be implemented as a part of a specialized server, mainframe, or similar computer that includes any of the above functions.
  • the computing device 500 may also be implemented as a personal computer including both laptop computer and non laptop computer configurations.
  • FIG. 6 is a flow diagram illustrating an example method to combine real, fake, and white hacker attacks to train security personnel that may be performed by a computing device such as the computing device in FIG. 5, arranged in accordance with at least some embodiments described herein.
  • Example methods may include one or more operations, functions, or actions as illustrated by one or more of blocks 622, 624, 626, 628, 630, and 632 may in some embodiments be performed by a computing device such as the computing device 500 in FIG. 5. Such operations, functions, or actions in FIG. 6 and in the other figures, in some embodiments, may be combined, eliminated, modified, and/or supplemented with other operations, functions or actions, and need not necessarily be performed in the exact sequence as shown.
  • the operations described in the blocks 622-632 may be implemented through execution of computer-executable instructions stored in a computer-readable medium such as a computer-readable medium 620 of a computing device 610.
  • An example process to modify security logs to provide security training through white hacking based automatic log creation may begin with block 622,“RECEIVE CAPTURED ONE OR MORE ACTIVITIES ASSOCIATED WITH A WHITE HACKER ATTACK”, where the captured activities may include one or more of a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, or a permission modification.
  • the activities may be captured as part of a white hacker attack directed at a protected network or as part of a white hacker attack directed to a mirror system dedicated to receiving white hacker attacks.
  • the logs associated with the white hacker attack may be received from the source of the white hacker attack instead of being generated from captured activities.
  • Block 622 may be followed by block 624,“GENERATE ONE OR MORE LOGS FROM THE CAPTURED ONE OR MORE ACTIVITIES”, where logs of the white hacker attack may be generated.
  • a new set of logs for training the security personnel may be generated by modifying one or more portions of the white hacker attack logs.
  • the portions of the generated one or more logs may be modified by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack.
  • Block 624 may be followed by block 626,“COMBINE THE GENERATED ONE OR MORE LOGS WITH A PLURALITY OF SECURITY LOGS”, where the logs generated from the white hacker attack are combined with logs of regular security operations (e.g., non- suspicious activities associated with the protected network).
  • the combined logs summarized before being provided for security training by identifying one or more portions of the combined logs as irrelevant for the training of the security personnel and removing the one or more portions identified as irrelevant for the training of the security personnel.
  • Block 626 may be followed by block 628,“PROVIDE THE COMBINED LOGS FOR TRAINING OF SECURITY PERSONNEL SUCH THAT THE SECURITY PERSONNEL ARE CAPABLE OF REVIEWING THE COMBINED LOGS TO IDENTIFY AND TAG THE ONE OR MORE LOGS ASSOCIATED WITH THE WHITE HACKER ATTACK”, where the combined logs (usually summarized version) may be provided to the security personnel for review and training. The security personnel may be expected to tag logs they believe are results of an attack. In some examples, one or more portions of the combined logs may be marked to indicate locations of the generated one or more logs, but the marked one or more portions of the combined logs may be undetectable to the security personnel for realistic training.
  • Block 628 may be followed by block 630,“RECEIVE AN IDENTIFICATION OF THE WHITE HACKER ATTACK FROM THE SECURITY PERSONNEL”, where identified logs and/or an identification of the attack may be received from the security personnel in training.
  • one or more options for actions to be performed may be provided to the security personnel upon detection of an attack by the security personnel from the provided combined logs.
  • Block 630 may be followed by block 632,“CONFIRM THAT THE
  • IDENTIFICATION OF THE WHITE HACKER ATTACK IS CORRECT BY COMPARING TAGGED LOGS BY THE SECURITY PERSONNEL TO THE GENERATED ONE OR MORE LOGS”, where the system may confirm that the security personnel in training has actually detected the white hacker attack. The confirmation of the correctness of the identification may also be provided to a source of the white hacker attack as feedback.
  • FIG. 7 illustrates a block diagram of an example computer program product, arranged in accordance with at least some embodiments described herein.
  • a computer program product 700 may include a signal bearing medium 702 that may also include one or more machine readable instructions 704 that, in response to execution by, for example, a processor may provide the functionality described herein.
  • the security management application 522 may perform or control performance of one or more of the tasks shown in FIG. 7 in response to the instructions 704 conveyed to the processor 504 by the signal bearing medium 702 to perform actions associated with the control and implementation of combination of real, fake, and white hacker attacks to train security personnel as described herein.
  • Some of those instructions may include, for example, receive captured one or more activities associated with a white hacker attack; generate one or more logs from the captured one or more activities; combine the generated one or more logs with a plurality of security logs; provide the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack; receive an identification of the white hacker attack from the security personnel; and/or confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs, according to some embodiments described herein.
  • the signal bearing medium 702 depicted in FIG. 7 may encompass computer-readable medium 706, such as, but not limited to, a hard disk drive (HDD), a solid state drive (SSD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, memory, and comparable non-transitory computer-readable storage media.
  • the signal bearing medium 702 may encompass recordable medium 708, such as, but not limited to, memory, read/write (R/W) CDs, R/W DVDs, etc.
  • R/W read/write
  • the signal bearing medium 702 may encompass communications medium 710, such as, but not limited to, a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.).
  • communications medium 710 such as, but not limited to, a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.).
  • the computer program product 700 may be conveyed to one or more modules of the processor 504 by an RF signal bearing medium, where the signal bearing medium 702 is conveyed by the communications medium 710 (e.g., a wireless communications medium conforming with the IEEE 802.11 standard).
  • An example method may include capturing one or more activities associated with a white hacker attack; generating one or more logs from the captured one or more activities; combining the generated one or more logs with a plurality of security logs; providing the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack; receiving an identification of the white hacker attack from the security personnel; and confirming that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
  • capturing the one or more activities associated with the white hacker attack may include capturing one or more of a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, or a permission modification.
  • Capturing the one or more activities associated with the white hacker attack may also include capturing the one or more activities at a protected network or receiving the captured one or more activities from a white hacker attack directed to a mirror system dedicated to receiving white hacker attacks.
  • Capturing the one or more activities associated with the white hacker attack may further include receiving a plurality of logs associated with the white hacker attack from the source of the white hacker attack.
  • the method may also include generating a new set of combined logs for training the security personnel by modifying one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
  • the method may further include generating a new set of combined logs for training the security personnel by modifying one or more portions of the generated one or more logs by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack.
  • the method may also include generating a new set of combined logs for training the security personnel by executing a script to modify one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
  • the method may further include summarizing the combined logs before providing the combined logs by identifying one or more portions of the combined logs as irrelevant for the training of the security personnel and removing the one or more portions identified as irrelevant for the training of the security personnel.
  • the method may also include summarizing the plurality of security logs before combining with the generated one or more logs by identifying one or more portions of the plurality of security logs as irrelevant for the training of the security personnel; removing the one or more portions identified as irrelevant for the training of the security personnel; and providing the summarized combined logs and the summarized plurality of security logs for the training of the security personnel such that the security personnel is capable of distinguishing detections of real attacks and white hacker attacks.
  • the method may also include providing one or more options for actions to be performed to the security personnel upon detection of an attack by the security personnel from the provided combined logs.
  • the method may further include providing the confirmation to the security personnel or providing the confirmation to a source of the white hacker attack.
  • Combining the generated one or more logs with the plurality of security logs may include combining the generated one or more logs with the plurality of security logs as the security logs are generated. Combining the generated one or more logs with the plurality of security logs may also include combining the generated one or more logs with the plurality of security logs subsequent to generation of the security logs.
  • An example computing device may include a communication device configured to communicate with a plurality of components of a protected network; a memory configured to store instructions; and a processor coupled to the communication device and the memory.
  • the processor in conjunction with the instructions stored on the memory, may be configured to receive captured one or more activities associated with a white hacker attack; generate one or more logs from the captured one or more activities; combine the generated one or more logs with a plurality of security logs; provide the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack; receive an identification of the white hacker attack from the security personnel; and confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
  • the captured one or more activities may include one or more of a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, or a permission modification.
  • the processor may be further configured to mark one or more portions of the combined logs to indicate locations of the generated one or more logs, wherein the marked one or more portions of the combined logs are undetectable to the security personnel.
  • the white hacker attack may be directed to the protected network or a mirror system dedicated to receiving white hacker attacks.
  • the processor may be further configured to generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
  • the processor may also be configured to generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack.
  • the processor may be further configured to generate a new set of combined logs for training the security personnel through execution of a script to modify one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
  • the processor may also be configured to replace one or more dynamic attributes within the script with a parameter; and insert a value of the parameter upon combination of the generated one or more logs with the plurality of security log events.
  • the processor may be further configured to summarize the combined logs before providing for security personnel training through identification of one or more portions of the combined logs as irrelevant for the training of the security personnel; and removal of the one or more portions identified as irrelevant for the training of the security personnel.
  • the processor may be further configured to summarize the plurality of security logs before combining with the generated one or more logs through identification of one or more portions of the plurality of security logs as irrelevant for the training of the security personnel; removal of the one or more portions identified as irrelevant for the training of the security personnel; and provide the summarized combined logs and the summarized plurality of security logs for the training of the security personnel such that the security personnel is capable of distinguishing detections of real attacks and white hacker attacks.
  • the processor may also be configured to provide one or more options for actions to be performed to the security personnel upon detection of an attack by the security personnel from the provided combined logs; provide the confirmation to the security personnel; provide the confirmation to a source of the white hacker attack.
  • the processor may be configured to combine the generated one or more logs with the plurality of security logs as the security logs are generated.
  • the processor may also be configured to combine the generated one or more logs with the plurality of security logs subsequent to generation of the security logs.
  • the security training may be provided for a security personnel or an attack detection artificial intelligence (AI) module.
  • the computing device may be a component of the protected network that generates the plurality of security logs, a server outside of the protected network, or a server configured to manage the security training.
  • An example system may include a first protected network component, a second protected network component, and a third protected network component.
  • the first protected network component may be configured to generate a plurality of security logs.
  • the second protected network component may be configured to receive the plurality of security logs from the first protected network component; receive captured one or more activities associated with a white hacker attack; generate one or more logs from the received one or more activities; combine the plurality of security logs with the generated one or more logs; and mark one or more portions of the combined logs to indicate locations of the generated one or more logs.
  • the third protected network component may be configured to receive the combined logs from the second protected network component; provide the combined logs to a security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack, where the marked one or more portions of the combined logs are undetectable to the security personnel; receive an identification of the white hacker attack from the security personnel; and confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
  • the white hacker attack may be directed to the protected network or a mirror system dedicated to receiving white hacker attacks.
  • the second protected network component may be further configured to generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
  • the second protected network component may also be configured to generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack.
  • the second protected network component may be further configured to generate a new set of combined logs for training the security personnel through execution of a script to modify one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
  • the second protected network component may be further configured to replace one or more dynamic attributes within the script with a parameter; and insert a value of the parameter upon combination of the generated one or more logs with the plurality of security log events.
  • the second protected network component may also be configured to summarize the combined logs before providing for security personnel training through identification of one or more portions of the combined logs as irrelevant for the training of the security personnel; and removal of the one or more portions identified as irrelevant for the training of the security personnel.
  • the second protected network component may be further configured to summarize the plurality of security logs before combining with the generated one or more logs through identification of one or more portions of the plurality of security logs as irrelevant for the training of the security personnel; and removal of the one or more portions identified as irrelevant for the training of the security personnel; and provide the summarized combined logs and the summarized plurality of security logs for the training of the security personnel such that the security personnel is capable of distinguishing detections of real attacks and white hacker attacks.
  • the third protected network component may be further configured to provide one or more options for actions to be performed to the security personnel upon detection of an attack by the security personnel from the provided combined logs; provide the confirmation to the security personnel; or provide the confirmation to a source of the white hacker attack.
  • the second protected network component may be further configured to combine the generated one or more logs with the plurality of security logs as the security logs are generated.
  • the second protected network component may also be configured to combine the generated one or more logs with the plurality of security logs subsequent to generation of the security logs.
  • the security training may be provided for a security personnel or an attack detection artificial intelligence (AI) module.
  • the first protected network component, the second protected network component, or the third protected network component may be a server, a router, a firewall device, a desktop computer, a vehicle mount computer, a laptop computer, or a special purpose network device.
  • Examples of a signal bearing medium include, but are not limited to, the following: a recordable type medium such as a floppy disk, a hard disk drive (HDD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, a computer memory, a solid state drive (SSD), etc.; and a transmission type medium such as a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.).
  • a recordable type medium such as a floppy disk, a hard disk drive (HDD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, a computer memory, a solid state drive (SSD), etc.
  • a transmission type medium such as a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.).
  • a data processing system may include one or more of a system unit housing, a video display device, a memory such as volatile and non-volatile memory, processors such as microprocessors and digital signal processors, computational entities such as operating systems, drivers, graphical user interfaces, and applications programs, one or more interaction devices, such as a touch pad or screen, and/or control systems including feedback loops and control motors.
  • a data processing system may be implemented utilizing any suitable commercially available components, such as those found in data computing/communication and/or network computing/communication systems.
  • the herein described subject matter sometimes illustrates different components contained within, or connected with, different other components.
  • Such depicted architectures are merely exemplary, and in fact, many other architectures may be implemented which achieve the same functionality.
  • any arrangement of components to achieve the same functionality is effectively “associated” such that the desired functionality is achieved.
  • any two components herein combined to achieve a particular functionality may be seen as "associated with” each other such that the desired functionality is achieved, irrespective of architectures or intermediate components.
  • any two components so associated may also be viewed as being “operably connected”, or “operably coupled”, to each other to achieve the desired functionality, and any two components capable of being so associated may also be viewed as being “operably couplable”, to each other to achieve the desired functionality.
  • operably couplable include but are not limited to physically connectable and/or physically interacting components and/or wirelessly interactable and/or wirelessly interacting components and/or logically interacting and/or logically interactable components.
  • ranges disclosed herein also encompass any and all possible subranges and combinations of subranges thereof. Any listed range can be easily recognized as sufficiently describing and enabling the same range being broken down into at least equal halves, thirds, quarters, fifths, tenths, etc. As a non-limiting example, each range discussed herein can be readily broken down into a lower third, middle third and upper third, etc. As will also be understood by one skilled in the art all language such as“up to,”“at least,”“greater than,”“less than,” and the like include the number recited and refer to ranges which can be subsequently broken down into subranges as discussed above. Finally, a range includes each individual member. Thus, for example, a group having 1-3 cells refers to groups having 1, 2, or 3 cells. Similarly, a group having 1-5 cells refers to groups having 1, 2, 3, 4, or 5 cells, and so forth.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Business, Economics & Management (AREA)
  • Educational Technology (AREA)
  • General Physics & Mathematics (AREA)
  • Educational Administration (AREA)
  • Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Technologies are generally described for security personnel training through automatic log creation resulting from white hacker attacks. In some examples, security personnel training may be supplemented by capturing one or more activities associated with a white hacker attack, generating one or more logs from the captured one or more activities, and combining the generated one or more logs with a plurality of security logs. The combined logs may be provided for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack. An identification of the white hacker attack may be received from the security personnel and the identification of the white hacker attack may be confirmed as correct by comparing tagged logs by the security personnel to the generated one or more logs.

Description

SECURITY PERSONNEL TRAINING USING AUTOMATIC LOG CREATION
RESULTING FROM WHITE HACKING
BACKGROUND
[0001] Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
[0002] A cyber-attack is any type of offensive action that targets computer information systems, infrastructures, computer networks or personal computer devices, using various methods to steal, alter, or destroy data or information systems. In today’s highly networked and computerized environment, a large number of systems deal with an even larger number of threats every day. As the types and severity of cyber-attacks increases, variety and complexity of solutions increases too making it more difficult for some systems to protect themselves.
[0003] One of the first lines of defense against cyber-attacks is detecting an attack as it happens. An entire industry is dedicated to monitoring events happening in organizations and finding suspicious ones. A typical approach includes monitoring logs of events and finding suspicious behavior. In a common flow of actions, logs of events may be collected. The logs may be very large, and therefore, generally not machine readable. A number of different tools may be employed to analyze the logs and generate a summary for a security personnel to review. Even if redundant and/or irrelevant data is removed in the summary, insufficiently trained security personnel may miss signs of an attack among the large amount of data they typically review.
SUMMARY
[0004] The present disclosure generally describes techniques for security personnel training through automatic log creation resulting from white hacking.
[0005] According to some examples, a method to supplement security personnel training through white hacking based automatic log creation is described. An example method may include capturing one or more activities associated with a white hacker attack; generating one or more logs from the captured one or more activities; combining the generated one or more logs with a plurality of security logs; providing the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack; receiving an identification of the white hacker attack from the security personnel; and confirming that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
[0006] According to other examples, a computing device to modify security logs to provide security training through white hacking based automatic log creation is described. An example computing device may include a communication device configured to communicate with a plurality of components of a protected network; a memory configured to store instructions; and a processor coupled to the communication device and the memory. The processor, in conjunction with the instructions stored on the memory, may be configured to receive captured one or more activities associated with a white hacker attack; generate one or more logs from the captured one or more activities; combine the generated one or more logs with a plurality of security logs; provide the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack; receive an identification of the white hacker attack from the security personnel; and confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
[0007] According to further examples, a system configured to modify security logs to provide security training through white hacking based automatic log creation is described. An example system may include a first protected network component, a second protected network component, and a third protected network component. The first protected network component may be configured to generate a plurality of security logs. The second protected network component may be configured to receive the plurality of security logs from the first protected network component; receive captured one or more activities associated with a white hacker attack; generate one or more logs from the received one or more activities; combine the plurality of security logs with the generated one or more logs; and mark one or more portions of the combined logs to indicate locations of the generated one or more logs. The third protected network component may be configured to receive the combined logs from the second protected network component; provide the combined logs to a security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack, where the marked one or more portions of the combined logs are undetectable to the security personnel; receive an identification of the white hacker attack from the security personnel; and confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
[0008] The foregoing summary is illustrative only and is not intended to be in any way limiting. In addition to the illustrative aspects, embodiments, and features described above, further aspects, embodiments, and features will become apparent by reference to the drawings and the following detailed description.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] The foregoing and other features of this disclosure will become more fully apparent from the following description and appended claims, taken in conjunction with the
accompanying drawings. Understanding that these drawings depict only several embodiments in accordance with the disclosure and are, therefore, not to be considered limiting of its scope, the disclosure will be described with additional specificity and detail through use of the
accompanying drawings, in which:
FIG. 1 includes a conceptual illustration of a protected network where logs based on real or fake attacks may be used to train security personnel;
FIG. 2 includes a conceptual illustration of combination of real, fake, and white hacker attacks to train security personnel;
FIGS. 3A through 3C include conceptual illustrations of different configurations for combination of white hacker attack generated logs with other logs to train security personnel;
FIG. 4 includes an illustration of major components in combination of white hacker attack generated logs with other logs to train security personnel;
FIG. 5 illustrates a computing device, which may be used to manage combination of real, fake, and white hacker attacks to train security personnel;
FIG. 6 is a flow diagram illustrating an example method to combine real, fake, and white hacker attacks to train security personnel that may be performed by a computing device such as the computing device in FIG. 5; and FIG. 7 illustrates a block diagram of an example computer program product, some of which are arranged in accordance with at least some embodiments described herein.
DETAILED DESCRIPTION
[0010] In the following detailed description, reference is made to the accompanying drawings, which form a part hereof. In the drawings, similar symbols typically identify similar components, unless context dictates otherwise. The illustrative embodiments described in the detailed description, drawings, and claims are not meant to be limiting. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented herein. The aspects of the present disclosure, as generally described herein, and illustrated in the Figures, can be arranged, substituted, combined, separated, and designed in a wide variety of different configurations, all of which are explicitly contemplated herein.
[0011] This disclosure is generally drawn, inter alia , to methods, apparatus, systems, devices, and/or computer program products related to security personnel training through automatic log creation resulting from white hacking.
[0012] Briefly stated, technologies are generally described for security personnel training through automatic log creation resulting from white hacker attacks. In some examples, security personnel training may be supplemented by capturing one or more activities associated with a white hacker attack, generating one or more logs from the captured one or more activities, and combining the generated one or more logs with a plurality of security logs. The combined logs may be provided for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack. An identification of the white hacker attack may be received from the security personnel and the identification of the white hacker attack may be confirmed as correct by comparing tagged logs by the security personnel to the generated one or more logs.
[0013] FIG. 1 includes a conceptual illustration of a protected network where logs based on real or fake attacks may be used to train security personnel, in accordance with at least some embodiments described herein. [0014] Diagram 100 shows an example protected network with example components. Networks (or computer systems) may be of any size and include a variety of types and numbers of components including sub-networks. The example protected network in diagram 100 may communicate with other networks and devices represented by external networks 102 through a switch 104. A firewall device 106 may provide first line of protection for the protected network against external attacks. The protected network may include a number of generic or special purpose components such as server 108, router 110, bridge 112, and sub-network 120. Server 114, computer 116, printer 118, and similar devices may be connected to the protected network through sub-network 120. Other example components may include server farm 124, database server 122, wireless bridge 126, and user devices 130, which may connect to the protected network wirelessly (128) through the wireless bridge 126.
[0015] An administrative server 132 may be configured to manage security operations detecting events and data exchanges through the external networks 102, switch 104, and firewall 106. The administrative server 132 may employ various threat detection tools 134 and also provide logs to a security personnel 138 for training. The security personnel 138 may connect to the administrative server 132 through a computing device 136 to oversee the security operations, analyze reports, and perform other tasks. When a white hacker attack 101 is launched against the protected network, it may take many different forms and affect different components. In a system according to embodiments, the administrative server 132 may capture one or more activities associated with the white hacker attack 101, generate one or more logs from the captured one or more activities, and combine the generated one or more logs with a plurality of security logs. The combined logs may be used for training of the security personnel 138 such that the security personnel 138 is capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack 101. An identification of the white hacker attack 101 may be received from the security personnel 138 and the identification of the white hacker attack 101 may be confirmed as correct by comparing tagged logs by the security personnel 138 to the generated one or more logs.
[0016] A typical approach in defending an organization against cyber-attacks includes monitoring logs of events and finding suspicious behavior. In a common flow of actions, logs of events may be collected. The logs may be very large, and therefore, generally not machine readable. A number of different tools may be employed to analyze the logs and generate a summary for a security personnel to review. Even if redundant and/or irrelevant data is removed in the summary, an efficiency of security personnel in detecting attacks can be increased through education and repeated training. The higher number of logs associated with attacks and higher variety of logs a security personnel is exposed to, the higher is the likelihood they may catch the next attack.
[0017] In practical situations, organizations may hire white hackers to penetrate security measures of the organization to understand vulnerabilities of different aspects of their security system. According to some embodiments, logs generated from such planned attacks may be mixed with regular security logs and used to train security personnel. Furthermore, white hacker attack logs may also be varied in different aspects to enhance the training.
[0018] Various components of the example protected network may communicate over wired or wireless links in a number of topographic configurations. Any number of
communication and security protocols may be employed for parts of or the entire protected network. Some components may be purely hardware, other components may be implemented as purely software. Yet other components may be embodied as a combination of hardware and software. The example components and configurations described herein are for illustration purposes only and are not intended to provide limitation on embodiments.
[0019] FIG. 2 includes a conceptual illustration of combination of real, fake, and white hacker attacks to train security personnel, arranged in accordance with at least some
embodiments described herein.
[0020] Diagram 200 shows how different sources can be combined to create training material for a security personnel 230. A security monitoring system 202 may generate logs 204 from monitored security operations such as activities associated with a protected network. The logs 204 may also include logs 206 of real attacks. Fake attack logs 220 may be generated through a fake attack log generation process 218 from old real attacks 212, white hacker attacks 214, and fake attacks 216. In case of white hacker attacks 214, there may be a recording and feedback process 215, where activities associated with a white hacker attack are recorded and feedback is optionally provided to the white hacker regarding successful detection of their attacks. The fake attack logs 220 may be combined with the logs 204 resulting in merged logs 222. In an example configuration, the merged logs 222 may include intermixed real attack logs 225 and fake attack logs 223A and 223B. In some examples, the fake attack logs 223A and 223B may be marked (224A and 224B) in an invisible manner to the security personnel 230 for a more realistic training. The security monitoring system 202 may simply compare logs tagged by the security personnel 230 with the marked logs and confirm accuracy of the security personnel’s identification of attacks. The merged logs may be processed, for example, summarized 226, and the summary of the merged logs 228 may be provided for the security personnel 230 for training.
[0021] Attacks that may be encountered by the protected network may include a denial-of- service (DoS) attack, a distributed denial-of-service (DDoS) attack, a man-in-the-middle (MitM) attack, a phishing attack, a spear phishing attack, a drive-by attack, a password attack, a sequential query language (SQL) injection attack, a cross-site scripting (XSS) attack, an eavesdropping attack, a birthday attack, a malware attack, or similar ones directed to the protected network.
[0022] A number of different tools may be employed to analyze the logs and generate a summary for a security personnel to review. Even if redundant and/or irrelevant data is removed in the summary, an efficiency of security personnel in detecting attacks can be increased through education and repeated training. The higher number of logs associated with attacks and higher variety of logs a security personnel is exposed to, the higher is the likelihood they will catch the next attack.
[0023] In practical situations, organizations may hire white hackers to penetrate security measures of the organization to understand vulnerabilities of different aspects of their security system. According to some embodiments, logs generated from such planned attacks may be mixed with regular security logs and used to train security personnel. Furthermore, white hacker attack logs may also be varied in different aspects to enhance the training.
[0024] By using white hacker attacks to train security personnel, system vulnerabilities may be detected and security improved and security personnel may be provided with known attacks to identify. An event processing (“summarizing”) application that monitors attacks and outputs a human readable summary (e.g., text, graphs, etc.) for the security personnel to review may secretly mark any event created from log events that are created by a white hacker. The secret marks may not be visible, at first, to the security personnel. Thus, the security personnel may review a unified system of real data combined with the white hacker attack data. This way, the security personnel may be trained on finding attacks, while still being able to identify whether each event or log is real or not. [0025] A security monitor system or a white hacker may execute a“recorder” application (e.g., a client machine and/or a proxy server which may be used to attack remote servers). The “recorder” application may track events or activities associated with the white hacker attack to the protected network and the tracked data may be connected to the log generation. For example, when a white hacker is working (inside or outside the protected network), they may be working inside a shell connected to a log generation system such that any log of their work is marked as white hacker associated event. Other logs may be regarded as regular logs of the system. This may be especially relevant if the white hacker bypasses a normal tracking or authorization mechanism (e.g., when the white hacker takes the role of a root). Thus, the white hacker may be posing as an administrator, but the logs generated may still be attributed to the white hacker.
[0026] FIGS. 3A through 3C include conceptual illustrations of different configurations for combination of white hacker attack generated logs with other logs to train security personnel, arranged in accordance with at least some embodiments described herein.
[0027] In the example configuration of diagram 300A of FIG. 3A, a white hacker 301 may provide a white hacker attack in real time to the protected system 302 or stored white hacker attacks 306 may be provided on demand. A server 310 may record activities associated with the white hacker attacks 306 and/or provide feedback (308) regarding identification of the attacks by a security personnel. An administrative server 304 may manage security operations, for example detection and recording of security activities to generate logs. The white hacker attack logs generated by the administrative server 304 may be provided to a server 316 configured to merge logs. The server 316 may merge real activity logs (e.g., regular operation logs, real attack logs) with white hacker attack logs, old real attack logs 312, and/or fake attack logs 314. A training server 330 may receive the merged logs from the server 316 and provide to the security personnel 338 through a client device 336, for example.
[0028] In some examples, a new set of combined logs for training the security personnel may be generated by modifying one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs. The one or more portions of the generated one or more logs may be modified by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack. Alternatively, a new set of combined logs for training the security personnel may be generated by executing a script to modify one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs. One or more dynamic attributes within the script may be replaced with a parameter and a value of the parameter may be inserted upon combination of the generated one or more logs with the plurality of security log events.
[0029] In other examples, the combined logs may be summarized before being provided for security training by identifying one or more portions of the combined logs as irrelevant for the training of the security personnel and removing the one or more portions identified as irrelevant for the training of the security personnel. Alternatively, the security logs may be summarized before being combined with the generated one or more logs by identifying one or more portions of the plurality of security logs as irrelevant for the training of the security personnel and removing the one or more portions identified as irrelevant for the training of the security personnel. The summarized combined logs and the summarized security logs may then be provided for the training of the security personnel such that the security personnel is capable of distinguishing detections of real attacks and white hacker attacks.
[0030] In the example configuration of diagram 300B of FIG. 3B, an administrative server 324 may perform security monitoring operations, log generation, and recording and/or feedback (322) associated with the white hacker attacks 306. The administrative server 324 may combine real logs 305, old real attack logs 312, and fake attack logs 314 with white hacker attack logs 306. As in diagram 300A, a training server 330 may receive the merged logs from the server 316 and provide to the security personnel 338 through a client device 336, for example.
[0031] In yet other examples, one or more options for actions to be performed may be provided to the security personnel upon detection of an attack by the security personnel from the provided combined logs. The confirmation of the correctness of the identification may also be provided to the security personnel or to a source of the white hacker attack. The generated one or more logs may be combined with the plurality of security logs as the security logs are generated or subsequent to generation of the security logs. One or more portions of the combined logs may be marked to indicate locations of the generated one or more logs, but the marked one or more portions of the combined logs may be undetectable to the security personnel for realistic training.
[0032] In further examples, the security training may be provided for a human security personnel or an attack detection artificial intelligence (AI) module. A computing device performing one or more of the actions described herein may be a component of a protected network that generates the plurality of security logs. The computing device may also be a server outside of the protected network or a server configured to manage the security training. The computing device may be a server, a router, a firewall device, a desktop computer, a vehicle mount computer, a laptop computer, or a special purpose network device.
[0033] In the example configuration of diagram 300C of FIG. 3C, the above discussed tasks of managing security operations; monitoring activities associated with the protected system 302; generation of logs; and combination of real logs 305, old real attack logs 312, fake attack logs 314, and white hacker attack logs 306 may be performed by the administrative server 334. The administrative server 334 may also provide the combined logs to the security personnel 338 for training through a client device 336.
[0034] FIG. 4 includes an illustration of major components in combination of white hacker attack generated logs with other logs to train security personnel, arranged in accordance with at least some embodiments described herein.
[0035] Diagram 400 shows a white hacker 402 may provide white hacker attack 404 to the protected system 408. Activities associated with the white hacker attack 404 may be recorded (406) and provided to log generation 412, where white hacker attack logs 414 are generated based on the recorded activities. The white hacker attack logs 414 may be combined with real logs 410 of activities from the protected system 408 (e.g., real attack logs) at log merger 416. Optionally, other attack logs 418 such as fake attack logs or old real attack logs may also be combined with the real logs 410 and white hacker attack logs 414. The combine logs may be provided for training 420 of the security personnel 422. In some examples, the white hacker 402 may receive feedback 424 in form of recorded activities, responses from the protected system 408, and/or identification of the white hacker attack(s) by the security personnel 422 during training 420.
[0036] The raw logs may be too big for humans to go through. Hence, the logs may be passed through a“summarizing” process, which may identify events of interest to the security personnel and potential threats using automated analysis tools (e.g., artificial intelligence algorithms). Typically, the tools may not be able to identify which logs are created by the white hacker and which logs are not. The output of the summarizing process may include actionable summaries that the security operators can review to identify attacks. [0037] Once a security personnel identifies a potential attack, they may be allowed to check whether the attack is real or not. If the attack is real, options for different actions may be provided such as shutting down or isolating components or portions of the protected system, diverting the attack to a simulated deception network, etc. In one example, the security operator may be allowed to check whether the attack is real only before taking an action in order to motivate the security personnel to pursue the attack source, regardless if the attack is real or not.
[0038] In other examples, the summary process may be executed twice - once with white hacker attack logs combined with the real logs and once without the white hacker attack logs - in order to determine whether an attack identification is based on real attack log, white hacker attack log, or both. In further examples, white hacker attack logs may be hidden if a real attack is identified to help the security personnel focus on the real attack.
[0039] The protected system may include any software, firmware, or middleware executed by any component of the protected system, operating systems, as well as hardware components such as a router, a server, a firewall device, a peripheral device, a storage device, an internal network, a desktop computer, a laptop computer, a wearable computer, a vehicle mount computer, or a tablet device within the protected system.
[0040] FIG. 5 illustrates a computing device, which may be used to manage combination of real, fake, and white hacker attacks to train security personnel, arranged in accordance with at least some embodiments described herein.
[0041] In an example basic configuration 502, the computing device 500 may include one or more processors 504 and a system memory 506. A memory bus 508 may be used to communicate between the processor 504 and the system memory 506. The basic configuration 502 is illustrated in FIG. 5 by those components within the inner dashed line.
[0042] Depending on the desired configuration, the processor 504 may be of any type, including but not limited to a microprocessor (mR), a microcontroller (pC), a digital signal processor (DSP), or any combination thereof. The processor 504 may include one or more levels of caching, such as a cache memory 512, a processor core 514, and registers 516. The example processor core 514 may include an arithmetic logic unit (ALU), a floating point unit (FPU), a digital signal processing core (DSP core), or any combination thereof. An example memory controller 518 may also be used with the processor 504, or in some implementations, the memory controller 518 may be an internal part of the processor 504. [0043] Depending on the desired configuration, the system memory 506 may be of any type including but not limited to volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.) or any combination thereof. The system memory 506 may include an operating system 520, a security management application 522, and program data 524. The security management application 522 may include an attack recording module 526. The attack recording module 526, in conjunction with the security management application 522 may be configured to capture or receive captured one or more activities associated with a white hacker attack and generate one or more logs from the captured one or more activities. The generated one or more logs may be combined with a plurality of security logs, which may then be provided for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack. The security management application 522 may receive an identification of the white hacker attack from the security personnel and confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs. The program data 524 may include attack logs 528 such as a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, a permission modification, etc., among other data, as described herein.
[0044] The computing device 500 may have additional features or functionality, and additional interfaces to facilitate communications between the basic configuration 502 and any desired devices and interfaces. For example, a bus/interface controller 530 may be used to facilitate communications between the basic configuration 502 and one or more data storage devices 532 via a storage interface bus 534. The data storage devices 532 may be one or more removable storage devices 536, one or more non-removable storage devices 538, or a
combination thereof. Examples of the removable storage and the non-removable storage devices include magnetic disk devices such as flexible disk drives and hard-disk drives (HDDs), optical disk drives such as compact disc (CD) drives or digital versatile disk (DVD) drives, solid state drives (SSDs), and tape drives to name a few. Example computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. [0045] The system memory 506, the removable storage devices 536 and the non-removable storage devices 538 are examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD- ROM, digital versatile disks (DVDs), solid state drives (SSDs), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by the computing device 500. Any such computer storage media may be part of the computing device 500.
[0046] The computing device 500 may also include an interface bus 540 for facilitating communication from various interface devices (e.g., one or more output devices 542, one or more peripheral interfaces 550, and one or more communication devices 560) to the basic configuration 502 via the bus/interface controller 530. Some of the example output devices 542 include a graphics processing unit 544 and an audio processing unit 546, which may be configured to communicate to various external devices such as a display or speakers via one or more A/V ports 548. One or more example peripheral interfaces 550 may include a serial interface controller 554 or a parallel interface controller 556, which may be configured to communicate with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device, etc.) or other peripheral devices (e.g., printer, scanner, etc.) via one or more EO ports 558. An example communication device 560 includes a network controller 562, which may be arranged to facilitate communications with one or more other computing devices 566 over a network communication link via one or more communication ports 564. The one or more other computing devices 566 may include servers at a datacenter, customer equipment, and comparable devices.
[0047] The network communication link may be one example of a communication media. Communication media may be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media. A“modulated data signal” may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), microwave, infrared (IR) and other wireless media. The term computer readable media as used herein may include non- transitory storage media.
[0048] The computing device 500 may be implemented as a part of a specialized server, mainframe, or similar computer that includes any of the above functions. The computing device 500 may also be implemented as a personal computer including both laptop computer and non laptop computer configurations.
[0049] FIG. 6 is a flow diagram illustrating an example method to combine real, fake, and white hacker attacks to train security personnel that may be performed by a computing device such as the computing device in FIG. 5, arranged in accordance with at least some embodiments described herein.
[0050] Example methods may include one or more operations, functions, or actions as illustrated by one or more of blocks 622, 624, 626, 628, 630, and 632 may in some embodiments be performed by a computing device such as the computing device 500 in FIG. 5. Such operations, functions, or actions in FIG. 6 and in the other figures, in some embodiments, may be combined, eliminated, modified, and/or supplemented with other operations, functions or actions, and need not necessarily be performed in the exact sequence as shown. The operations described in the blocks 622-632 may be implemented through execution of computer-executable instructions stored in a computer-readable medium such as a computer-readable medium 620 of a computing device 610.
[0051] An example process to modify security logs to provide security training through white hacking based automatic log creation may begin with block 622,“RECEIVE CAPTURED ONE OR MORE ACTIVITIES ASSOCIATED WITH A WHITE HACKER ATTACK”, where the captured activities may include one or more of a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, or a permission modification. The activities may be captured as part of a white hacker attack directed at a protected network or as part of a white hacker attack directed to a mirror system dedicated to receiving white hacker attacks. Alternatively, the logs associated with the white hacker attack may be received from the source of the white hacker attack instead of being generated from captured activities.
[0052] Block 622 may be followed by block 624,“GENERATE ONE OR MORE LOGS FROM THE CAPTURED ONE OR MORE ACTIVITIES”, where logs of the white hacker attack may be generated. In some examples, a new set of logs for training the security personnel may be generated by modifying one or more portions of the white hacker attack logs. The portions of the generated one or more logs may be modified by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack.
[0053] Block 624 may be followed by block 626,“COMBINE THE GENERATED ONE OR MORE LOGS WITH A PLURALITY OF SECURITY LOGS”, where the logs generated from the white hacker attack are combined with logs of regular security operations (e.g., non- suspicious activities associated with the protected network). In some examples, the combined logs summarized before being provided for security training by identifying one or more portions of the combined logs as irrelevant for the training of the security personnel and removing the one or more portions identified as irrelevant for the training of the security personnel.
[0054] Block 626 may be followed by block 628,“PROVIDE THE COMBINED LOGS FOR TRAINING OF SECURITY PERSONNEL SUCH THAT THE SECURITY PERSONNEL ARE CAPABLE OF REVIEWING THE COMBINED LOGS TO IDENTIFY AND TAG THE ONE OR MORE LOGS ASSOCIATED WITH THE WHITE HACKER ATTACK”, where the combined logs (usually summarized version) may be provided to the security personnel for review and training. The security personnel may be expected to tag logs they believe are results of an attack. In some examples, one or more portions of the combined logs may be marked to indicate locations of the generated one or more logs, but the marked one or more portions of the combined logs may be undetectable to the security personnel for realistic training.
[0055] Block 628 may be followed by block 630,“RECEIVE AN IDENTIFICATION OF THE WHITE HACKER ATTACK FROM THE SECURITY PERSONNEL”, where identified logs and/or an identification of the attack may be received from the security personnel in training. In some examples, one or more options for actions to be performed may be provided to the security personnel upon detection of an attack by the security personnel from the provided combined logs.
[0056] Block 630 may be followed by block 632,“CONFIRM THAT THE
IDENTIFICATION OF THE WHITE HACKER ATTACK IS CORRECT BY COMPARING TAGGED LOGS BY THE SECURITY PERSONNEL TO THE GENERATED ONE OR MORE LOGS”, where the system may confirm that the security personnel in training has actually detected the white hacker attack. The confirmation of the correctness of the identification may also be provided to a source of the white hacker attack as feedback.
[0057] The operations included in the above-described process are for illustration purposes. Combination of real, fake, and white hacker attacks to train security personnel may be implemented by similar processes with fewer or additional operations, as well as in different order of operations using the principles described herein. The operations described herein may be executed by one or more processors operated on one or more computing devices, one or more processor cores, and/or specialized processing devices, among other examples.
[0058] FIG. 7 illustrates a block diagram of an example computer program product, arranged in accordance with at least some embodiments described herein.
[0059] In some examples, as shown in FIG. 7, a computer program product 700 may include a signal bearing medium 702 that may also include one or more machine readable instructions 704 that, in response to execution by, for example, a processor may provide the functionality described herein. Thus, for example, referring to the processor 504 in FIG. 5, the security management application 522 may perform or control performance of one or more of the tasks shown in FIG. 7 in response to the instructions 704 conveyed to the processor 504 by the signal bearing medium 702 to perform actions associated with the control and implementation of combination of real, fake, and white hacker attacks to train security personnel as described herein. Some of those instructions may include, for example, receive captured one or more activities associated with a white hacker attack; generate one or more logs from the captured one or more activities; combine the generated one or more logs with a plurality of security logs; provide the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack; receive an identification of the white hacker attack from the security personnel; and/or confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs, according to some embodiments described herein.
[0060] In some implementations, the signal bearing medium 702 depicted in FIG. 7 may encompass computer-readable medium 706, such as, but not limited to, a hard disk drive (HDD), a solid state drive (SSD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, memory, and comparable non-transitory computer-readable storage media. In some implementations, the signal bearing medium 702 may encompass recordable medium 708, such as, but not limited to, memory, read/write (R/W) CDs, R/W DVDs, etc. In some
implementations, the signal bearing medium 702 may encompass communications medium 710, such as, but not limited to, a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.). Thus, for example, the computer program product 700 may be conveyed to one or more modules of the processor 504 by an RF signal bearing medium, where the signal bearing medium 702 is conveyed by the communications medium 710 (e.g., a wireless communications medium conforming with the IEEE 802.11 standard).
[0061] According to some examples, a method to supplement security personnel training through white hacking based automatic log creation is described. An example method may include capturing one or more activities associated with a white hacker attack; generating one or more logs from the captured one or more activities; combining the generated one or more logs with a plurality of security logs; providing the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack; receiving an identification of the white hacker attack from the security personnel; and confirming that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
[0062] According to other examples, capturing the one or more activities associated with the white hacker attack may include capturing one or more of a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, or a permission modification. Capturing the one or more activities associated with the white hacker attack may also include capturing the one or more activities at a protected network or receiving the captured one or more activities from a white hacker attack directed to a mirror system dedicated to receiving white hacker attacks. Capturing the one or more activities associated with the white hacker attack may further include receiving a plurality of logs associated with the white hacker attack from the source of the white hacker attack.
[0063] According to further examples, the method may also include generating a new set of combined logs for training the security personnel by modifying one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs. The method may further include generating a new set of combined logs for training the security personnel by modifying one or more portions of the generated one or more logs by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack. The method may also include generating a new set of combined logs for training the security personnel by executing a script to modify one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs. The method may further include summarizing the combined logs before providing the combined logs by identifying one or more portions of the combined logs as irrelevant for the training of the security personnel and removing the one or more portions identified as irrelevant for the training of the security personnel.
[0064] According to further examples, the method may also include summarizing the plurality of security logs before combining with the generated one or more logs by identifying one or more portions of the plurality of security logs as irrelevant for the training of the security personnel; removing the one or more portions identified as irrelevant for the training of the security personnel; and providing the summarized combined logs and the summarized plurality of security logs for the training of the security personnel such that the security personnel is capable of distinguishing detections of real attacks and white hacker attacks. The method may also include providing one or more options for actions to be performed to the security personnel upon detection of an attack by the security personnel from the provided combined logs. The method may further include providing the confirmation to the security personnel or providing the confirmation to a source of the white hacker attack. Combining the generated one or more logs with the plurality of security logs may include combining the generated one or more logs with the plurality of security logs as the security logs are generated. Combining the generated one or more logs with the plurality of security logs may also include combining the generated one or more logs with the plurality of security logs subsequent to generation of the security logs.
[0065] According to other examples, a computing device to modify security logs to provide security training through white hacking based automatic log creation is described. An example computing device may include a communication device configured to communicate with a plurality of components of a protected network; a memory configured to store instructions; and a processor coupled to the communication device and the memory. The processor, in conjunction with the instructions stored on the memory, may be configured to receive captured one or more activities associated with a white hacker attack; generate one or more logs from the captured one or more activities; combine the generated one or more logs with a plurality of security logs; provide the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack; receive an identification of the white hacker attack from the security personnel; and confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
[0066] According to further examples, the captured one or more activities may include one or more of a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, or a permission modification. The processor may be further configured to mark one or more portions of the combined logs to indicate locations of the generated one or more logs, wherein the marked one or more portions of the combined logs are undetectable to the security personnel. The white hacker attack may be directed to the protected network or a mirror system dedicated to receiving white hacker attacks. The processor may be further configured to generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs. The processor may also be configured to generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack.
[0067] According to some examples, the processor may be further configured to generate a new set of combined logs for training the security personnel through execution of a script to modify one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs. The processor may also be configured to replace one or more dynamic attributes within the script with a parameter; and insert a value of the parameter upon combination of the generated one or more logs with the plurality of security log events. The processor may be further configured to summarize the combined logs before providing for security personnel training through identification of one or more portions of the combined logs as irrelevant for the training of the security personnel; and removal of the one or more portions identified as irrelevant for the training of the security personnel.
[0068] According to other examples, the processor may be further configured to summarize the plurality of security logs before combining with the generated one or more logs through identification of one or more portions of the plurality of security logs as irrelevant for the training of the security personnel; removal of the one or more portions identified as irrelevant for the training of the security personnel; and provide the summarized combined logs and the summarized plurality of security logs for the training of the security personnel such that the security personnel is capable of distinguishing detections of real attacks and white hacker attacks. The processor may also be configured to provide one or more options for actions to be performed to the security personnel upon detection of an attack by the security personnel from the provided combined logs; provide the confirmation to the security personnel; provide the confirmation to a source of the white hacker attack. The processor may be configured to combine the generated one or more logs with the plurality of security logs as the security logs are generated. The processor may also be configured to combine the generated one or more logs with the plurality of security logs subsequent to generation of the security logs. The security training may be provided for a security personnel or an attack detection artificial intelligence (AI) module. The computing device may be a component of the protected network that generates the plurality of security logs, a server outside of the protected network, or a server configured to manage the security training.
[0069] According to further examples, a system configured to modify security logs to provide security training through white hacking based automatic log creation is described. An example system may include a first protected network component, a second protected network component, and a third protected network component. The first protected network component may be configured to generate a plurality of security logs. The second protected network component may be configured to receive the plurality of security logs from the first protected network component; receive captured one or more activities associated with a white hacker attack; generate one or more logs from the received one or more activities; combine the plurality of security logs with the generated one or more logs; and mark one or more portions of the combined logs to indicate locations of the generated one or more logs. The third protected network component may be configured to receive the combined logs from the second protected network component; provide the combined logs to a security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack, where the marked one or more portions of the combined logs are undetectable to the security personnel; receive an identification of the white hacker attack from the security personnel; and confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
[0070] According to some examples, the white hacker attack may be directed to the protected network or a mirror system dedicated to receiving white hacker attacks. The second protected network component may be further configured to generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs. The second protected network component may also be configured to generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack. The second protected network component may be further configured to generate a new set of combined logs for training the security personnel through execution of a script to modify one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
[0071] According to other examples, the second protected network component may be further configured to replace one or more dynamic attributes within the script with a parameter; and insert a value of the parameter upon combination of the generated one or more logs with the plurality of security log events. The second protected network component may also be configured to summarize the combined logs before providing for security personnel training through identification of one or more portions of the combined logs as irrelevant for the training of the security personnel; and removal of the one or more portions identified as irrelevant for the training of the security personnel. The second protected network component may be further configured to summarize the plurality of security logs before combining with the generated one or more logs through identification of one or more portions of the plurality of security logs as irrelevant for the training of the security personnel; and removal of the one or more portions identified as irrelevant for the training of the security personnel; and provide the summarized combined logs and the summarized plurality of security logs for the training of the security personnel such that the security personnel is capable of distinguishing detections of real attacks and white hacker attacks.
[0072] According to further examples, the third protected network component may be further configured to provide one or more options for actions to be performed to the security personnel upon detection of an attack by the security personnel from the provided combined logs; provide the confirmation to the security personnel; or provide the confirmation to a source of the white hacker attack. The second protected network component may be further configured to combine the generated one or more logs with the plurality of security logs as the security logs are generated. The second protected network component may also be configured to combine the generated one or more logs with the plurality of security logs subsequent to generation of the security logs. The security training may be provided for a security personnel or an attack detection artificial intelligence (AI) module. The first protected network component, the second protected network component, or the third protected network component may be a server, a router, a firewall device, a desktop computer, a vehicle mount computer, a laptop computer, or a special purpose network device.
[0073] There are various vehicles by which processes and/or systems and/or other technologies described herein may be affected (e.g., hardware, software, and/or firmware), and the preferred vehicle will vary with the context in which the processes and/or systems and/or other technologies are deployed. For example, if an implementer determines that speed and accuracy are paramount, the implementer may opt for mainly hardware and/or firmware vehicle; if flexibility is paramount, the implementer may opt for mainly software implementation; or, yet again alternatively, the implementer may opt for some combination of hardware, software, and/or firmware.
[0074] The foregoing detailed description has set forth various embodiments of the devices and/or processes via the use of block diagrams, flowcharts, and/or examples. Insofar as such block diagrams, flowcharts, and/or examples contain one or more functions and/or operations, each function and/or operation within such block diagrams, flowcharts, or examples may be implemented, individually and/or collectively, by a wide range of hardware, software, firmware, or virtually any combination thereof. In one embodiment, several portions of the subject matter described herein may be implemented via application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), digital signal processors (DSPs), or other integrated formats. However, t some aspects of the embodiments disclosed herein, in whole or in part, may be equivalently implemented in integrated circuits, as one or more computer programs executing on one or more computers (e.g., as one or more programs executing on one or more computer systems), as one or more programs executing on one or more processors (e.g., as one or more programs executing on one or more microprocessors), as firmware, or as virtually any combination thereof, and that designing the circuitry and/or writing the code for the software and/or firmware are possible in light of this disclosure.
[0075] The present disclosure is not to be limited in terms of the particular embodiments described in this application, which are intended as illustrations of various aspects. Many modifications and variations can be made without departing from its spirit and scope.
Functionally equivalent methods and apparatuses within the scope of the disclosure, in addition to those enumerated herein, are possible from the foregoing descriptions. Such modifications and variations are intended to fall within the scope of the appended claims. The present disclosure is to be limited only by the terms of the appended claims, along with the full scope of equivalents to which such claims are entitled. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting.
[0076] In addition, the mechanisms of the subject matter described herein are capable of being distributed as a program product in a variety of forms, and that an illustrative embodiment of the subject matter described herein applies regardless of the particular type of signal bearing medium used to actually carry out the distribution. Examples of a signal bearing medium include, but are not limited to, the following: a recordable type medium such as a floppy disk, a hard disk drive (HDD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, a computer memory, a solid state drive (SSD), etc.; and a transmission type medium such as a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.).
[0077] It is common within the art to describe devices and/or processes in the fashion set forth herein, and thereafter use engineering practices to integrate such described devices and/or processes into data processing systems. That is, at least a portion of the devices and/or processes described herein may be integrated into a data processing system via a reasonable amount of experimentation. A data processing system may include one or more of a system unit housing, a video display device, a memory such as volatile and non-volatile memory, processors such as microprocessors and digital signal processors, computational entities such as operating systems, drivers, graphical user interfaces, and applications programs, one or more interaction devices, such as a touch pad or screen, and/or control systems including feedback loops and control motors.
[0078] A data processing system may be implemented utilizing any suitable commercially available components, such as those found in data computing/communication and/or network computing/communication systems. The herein described subject matter sometimes illustrates different components contained within, or connected with, different other components. Such depicted architectures are merely exemplary, and in fact, many other architectures may be implemented which achieve the same functionality. In a conceptual sense, any arrangement of components to achieve the same functionality is effectively "associated" such that the desired functionality is achieved. Hence, any two components herein combined to achieve a particular functionality may be seen as "associated with" each other such that the desired functionality is achieved, irrespective of architectures or intermediate components. Likewise, any two components so associated may also be viewed as being "operably connected", or "operably coupled", to each other to achieve the desired functionality, and any two components capable of being so associated may also be viewed as being "operably couplable", to each other to achieve the desired functionality. Specific examples of operably couplable include but are not limited to physically connectable and/or physically interacting components and/or wirelessly interactable and/or wirelessly interacting components and/or logically interacting and/or logically interactable components.
[0079] With respect to the use of substantially any plural and/or singular terms herein, those having skill in the art can translate from the plural to the singular and/or from the singular to the plural as is appropriate to the context and/or application. The various singular/plural permutations may be expressly set forth herein for sake of clarity.
[0080] In general, terms used herein, and especially in the appended claims (e.g., bodies of the appended claims) are generally intended as“open” terms (e.g., the term“including” should be interpreted as“including but not limited to,” the term“having” should be interpreted as “having at least,” the term“includes” should be interpreted as“includes but is not limited to,” etc.). It will be further understood by those within the art that if a specific number of an introduced claim recitation is intended, such an intent will be explicitly recited in the claim, and in the absence of such recitation, no such intent is present. For example, as an aid to
understanding, the following appended claims may contain usage of the introductory phrases "at least one" and "one or more" to introduce claim recitations. However, the use of such phrases should not be construed to imply that the introduction of a claim recitation by the indefinite articles "a" or "an" limits any particular claim containing such introduced claim recitation to embodiments containing only one such recitation, even when the same claim includes the introductory phrases "one or more" or "at least one" and indefinite articles such as "a" or "an" (e.g.,“a” and/or“an” should be interpreted to mean“at least one” or“one or more”); the same holds true for the use of definite articles used to introduce claim recitations. In addition, even if a specific number of an introduced claim recitation is explicitly recited, those skilled in the art will recognize that such recitation should be interpreted to mean at least the recited number (e.g., the bare recitation of "two recitations," without other modifiers, means at least two recitations, or two or more recitations).
[0081] Furthermore, in those instances where a convention analogous to“at least one of A, B, and C, etc.” is used, in general, such a construction is intended in the sense one having skill in the art would understand the convention (e.g.,“a system having at least one of A, B, and C” would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.). It will be further understood by those within the art that virtually any disjunctive word and/or phrase presenting two or more alternative terms, whether in the description, claims, or drawings, should be understood to contemplate the possibilities of including one of the terms, either of the terms, or both terms. For example, the phrase“A or B” will be understood to include the possibilities of “A” or“B” or“A and B.”
[0082] For any and all purposes, such as in terms of providing a written description, all ranges disclosed herein also encompass any and all possible subranges and combinations of subranges thereof. Any listed range can be easily recognized as sufficiently describing and enabling the same range being broken down into at least equal halves, thirds, quarters, fifths, tenths, etc. As a non-limiting example, each range discussed herein can be readily broken down into a lower third, middle third and upper third, etc. As will also be understood by one skilled in the art all language such as“up to,”“at least,”“greater than,”“less than,” and the like include the number recited and refer to ranges which can be subsequently broken down into subranges as discussed above. Finally, a range includes each individual member. Thus, for example, a group having 1-3 cells refers to groups having 1, 2, or 3 cells. Similarly, a group having 1-5 cells refers to groups having 1, 2, 3, 4, or 5 cells, and so forth.
[0083] While various aspects and embodiments have been disclosed herein, other aspects and embodiments are possible. The various aspects and embodiments disclosed herein are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims.

Claims

CLAIMS WHAT IS CLAIMED IS:
1. A method to supplement security personnel training through white hacking based automatic log creation, the method comprising:
capturing one or more activities associated with a white hacker attack;
generating one or more logs from the captured one or more activities;
combining the generated one or more logs with a plurality of security logs;
providing the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack;
receiving an identification of the white hacker attack from the security personnel; and confirming that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
2. The method of claim 1, wherein capturing the one or more activities associated with the white hacker attack comprises:
capturing one or more of a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, or a permission modification.
3. The method of claim 1, wherein capturing the one or more activities associated with the white hacker attack comprises:
capturing the one or more activities at a protected network; or
receiving the captured one or more activities from a white hacker attack directed to a mirror system dedicated to receiving white hacker attacks.
4. The method of claim 1, wherein capturing the one or more activities associated with the white hacker attack comprises:
receiving a plurality of logs associated with the white hacker attack from the source of the white hacker attack.
5. The method of claim 1, further comprising:
generating a new set of combined logs for training the security personnel by modifying one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
6. The method of claim 1, further comprising:
generating a new set of combined logs for training the security personnel by modifying one or more portions of the generated one or more logs by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack.
7. The method of claim 1, further comprising:
generating a new set of combined logs for training the security personnel by executing a script to modify one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
8. The method of claim 1, further comprising:
summarizing the combined logs before providing the combined logs by:
identifying one or more portions of the combined logs as irrelevant for the training of the security personnel; and
removing the one or more portions identified as irrelevant for the training of the security personnel.
9. The method of claim 1, further comprising:
summarizing the plurality of security logs before combining with the generated one or more logs by:
identifying one or more portions of the plurality of security logs as irrelevant for the training of the security personnel; and
removing the one or more portions identified as irrelevant for the training of the security personnel; and providing the summarized combined logs and the summarized plurality of security logs for the training of the security personnel such that the security personnel is capable of distinguishing detections of real attacks and white hacker attacks.
10. The method of claim 1, further comprising:
providing one or more options for actions to be performed to the security personnel upon detection of an attack by the security personnel from the provided combined logs.
11. The method of claim 1, further comprising:
providing the confirmation to the security personnel.
12. The method of claim 1, further comprising:
providing the confirmation to a source of the white hacker attack.
13. The method of claim 1, wherein combining the generated one or more logs with the plurality of security logs comprises:
combining the generated one or more logs with the plurality of security logs as the security logs are generated.
14. The method of claim 1, wherein combining the generated one or more logs with the plurality of security logs comprises:
combining the generated one or more logs with the plurality of security logs subsequent to generation of the security logs.
15. A computing device to modify security logs to provide security training through white hacking based automatic log creation, the computing device comprising:
a communication device configured to communicate with a plurality of components of a protected network;
a memory configured to store instructions; and
a processor coupled to the communication device and the memory, wherein the processor in conjunction with the instructions stored on the memory is configured to: receive captured one or more activities associated with a white hacker attack; generate one or more logs from the captured one or more activities; combine the generated one or more logs with a plurality of security logs;
provide the combined logs for training of security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack;
receive an identification of the white hacker attack from the security personnel; and
confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
16. The computing device of claim 15, wherein the captured one or more activities comprise one or more of a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, or a permission modification.
17. The computing device of claim 15, wherein the processor is further configured to:
mark one or more portions of the combined logs to indicate locations of the generated one or more logs, wherein the marked one or more portions of the combined logs are undetectable to the security personnel.
18. The computing device of claim 15, wherein the white hacker attack is directed to the protected network or a mirror system dedicated to receiving white hacker attacks.
19. The computing device of claim 15, wherein the processor is further configured to:
generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
20. The computing device of claim 15, wherein the processor is configured to:
generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack.
21. The computing device of claim 15, wherein the processor is further configured to:
generate a new set of combined logs for training the security personnel through execution of a script to modify one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
22. The computing device of claim 21, wherein the processor is further configured to:
replace one or more dynamic attributes within the script with a parameter; and insert a value of the parameter upon combination of the generated one or more logs with the plurality of security log events.
23. The computing device of claim 15, wherein the processor is further configured to:
summarize the combined logs before providing for security personnel training through: identification of one or more portions of the combined logs as irrelevant for the training of the security personnel; and
removal of the one or more portions identified as irrelevant for the training of the security personnel.
24. The computing device of claim 15, wherein the processor is further configured to:
summarize the plurality of security logs before combining with the generated one or more logs through:
identification of one or more portions of the plurality of security logs as irrelevant for the training of the security personnel; and
removal of the one or more portions identified as irrelevant for the training of the security personnel; and
provide the summarized combined logs and the summarized plurality of security logs for the training of the security personnel such that the security personnel is capable of distinguishing detections of real attacks and white hacker attacks.
25. The computing device of claim 15, wherein the processor is further configured to:
provide one or more options for actions to be performed to the security personnel upon detection of an attack by the security personnel from the provided combined logs.
26. The computing device of claim 15, wherein the processor is further configured to:
provide the confirmation to the security personnel.
27. The computing device of claim 15, wherein the processor is further configured to:
provide the confirmation to a source of the white hacker attack.
28. The computing device of claim 15, wherein the processor is configured to combine the generated one or more logs with the plurality of security logs as the security logs are generated.
29. The computing device of claim 15, wherein the processor is configured to combine the generated one or more logs with the plurality of security logs subsequent to generation of the security logs.
30. The computing device of claim 15, wherein the security training is provided for a security personnel or an attack detection artificial intelligence (AI) module.
31. The computing device of claim 15, wherein the computing device is a component of the protected network that generates the plurality of security logs.
32. The computing device of claim 15, wherein the computing device is a server outside of the protected network.
33. The computing device of claim 15, wherein the computing device is a server configured to manage the security training.
34. A system configured to modify security logs to provide security training through white hacking based automatic log creation, the system comprising:
a first protected network component configured to:
generate a plurality of security logs;
a second protected network component configured to:
receive the plurality of security logs from the first protected network component; receive captured one or more activities associated with a white hacker attack; generate one or more logs from the received one or more activities; combine the plurality of security logs with the generated one or more logs; and mark one or more portions of the combined logs to indicate locations of the generated one or more logs; and
a third protected network component configured to:
receive the combined logs from the second protected network component;
provide the combined logs to a security personnel such that the security personnel are capable of reviewing the combined logs to identify and tag the one or more logs associated with the white hacker attack, wherein the marked one or more portions of the combined logs are undetectable to the security personnel;
receive an identification of the white hacker attack from the security personnel; and
confirm that the identification of the white hacker attack is correct by comparing tagged logs by the security personnel to the generated one or more logs.
35. The system of claim 34, wherein the white hacker attack is directed to the protected network or a mirror system dedicated to receiving white hacker attacks.
36. The system of claim 34, wherein the second protected network component is further configured to:
generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
37. The system of claim 34, wherein the second protected network component is further configured to:
generate a new set of combined logs for training the security personnel through modification of one or more portions of the generated one or more logs by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, or a requested operation type associated with the white hacker attack.
38. The system of claim 34, wherein the second protected network component is further configured to:
generate a new set of combined logs for training the security personnel through execution of a script to modify one or more portions of the generated one or more logs before combining the generated one or more logs with the plurality of security logs.
39. The system of claim 38, wherein the second protected network component is further configured to:
replace one or more dynamic attributes within the script with a parameter; and insert a value of the parameter upon combination of the generated one or more logs with the plurality of security log events.
40. The system of claim 34, wherein the second protected network component is further configured to:
summarize the combined logs before providing for security personnel training through: identification of one or more portions of the combined logs as irrelevant for the training of the security personnel; and
removal of the one or more portions identified as irrelevant for the training of the security personnel.
41. The system of claim 34, wherein the second protected network component is further configured to: summarize the plurality of security logs before combining with the generated one or more logs through:
identification of one or more portions of the plurality of security logs as irrelevant for the training of the security personnel; and
removal of the one or more portions identified as irrelevant for the training of the security personnel; and
provide the summarized combined logs and the summarized plurality of security logs for the training of the security personnel such that the security personnel is capable of distinguishing detections of real attacks and white hacker attacks.
42. The system of claim 34, wherein the third protected network component is further configured to:
provide one or more options for actions to be performed to the security personnel upon detection of an attack by the security personnel from the provided combined logs.
43. The system of claim 34, wherein the third protected network component is further configured to:
provide the confirmation to the security personnel.
44. The system of claim 34, wherein the third protected network component is further configured to:
provide the confirmation to a source of the white hacker attack.
45. The system of claim 34, wherein the second protected network component is further configured to:
combine the generated one or more logs with the plurality of security logs as the security logs are generated.
46. The system of claim 34, wherein the second protected network component is further configured to: combine the generated one or more logs with the plurality of security logs subsequent to generation of the security logs.
47. The system of claim 34, wherein the security training is provided for a security personnel or an attack detection artificial intelligence (AI) module.
48. The system of claim 34, wherein the first protected network component, the second protected network component, or the third protected network component are one of: a server, a router, a firewall device, a desktop computer, a vehicle mount computer, a laptop computer, and a special purpose network device.
PCT/US2019/023280 2019-03-21 2019-03-21 Security personnel training using automatic log creation resulting from white hacking WO2020190294A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2019/023280 WO2020190294A1 (en) 2019-03-21 2019-03-21 Security personnel training using automatic log creation resulting from white hacking

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2019/023280 WO2020190294A1 (en) 2019-03-21 2019-03-21 Security personnel training using automatic log creation resulting from white hacking

Publications (1)

Publication Number Publication Date
WO2020190294A1 true WO2020190294A1 (en) 2020-09-24

Family

ID=72520480

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/023280 WO2020190294A1 (en) 2019-03-21 2019-03-21 Security personnel training using automatic log creation resulting from white hacking

Country Status (1)

Country Link
WO (1) WO2020190294A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110039237A1 (en) * 2008-04-17 2011-02-17 Skare Paul M Method and system for cyber security management of industrial control systems
US20110185426A1 (en) * 2003-04-04 2011-07-28 Juniper Networks, Inc. Detection of network security breaches based on analysis of network record logs

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110185426A1 (en) * 2003-04-04 2011-07-28 Juniper Networks, Inc. Detection of network security breaches based on analysis of network record logs
US20110039237A1 (en) * 2008-04-17 2011-02-17 Skare Paul M Method and system for cyber security management of industrial control systems

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
JAGNARINE, AMIT ANAND: "The Role of White Hat Hackers in Information Security", HONORS COLLEGE THESES, 24 August 2005 (2005-08-24), pages 1 - 30, XP055741956, Retrieved from the Internet <URL:https://digitalcommons.pace.edu/cgi/viewcontent.cgi?referer=https://www.google.com/&ht<psredir=1&article=1012&context=honorscollege_theses> [retrieved on 20190520] *
JELEN, SARA: "An Ode to White Hats: What Is Ethical Hacking?", SECURITY TRAILS BLOG, 6 November 2018 (2018-11-06), XP055742006, Retrieved from the Internet <URL:https://securitytrails.com/blog/ode-white-hats-ethical-hacking> [retrieved on 20190520] *
SCARFONE ET AL.: "Technical guide to information security testing and assessment", NIST SPECIAL PUBLICATION, September 2008 (2008-09-01), pages 1 - 80, XP055333488, Retrieved from the Internet <URL:http://www.itsecure.hu/library/file/Biztonsági%20útmutatók/Egyéb%20biztonsági%20utmutatok/TechnicaI%20Guide%20to%20lnformation%20Security%20Testing%20and%20Assessment.pdf> [retrieved on 20190520] *

Similar Documents

Publication Publication Date Title
US10574685B2 (en) Synthetic cyber-risk model for vulnerability determination
Moustafa et al. Federated TON_IoT Windows datasets for evaluating AI-based security applications
Xiong et al. CONAN: A practical real-time APT detection system with high accuracy and efficiency
Zawoad et al. Cloud Forensics
CN106687971B (en) Automatic code locking to reduce attack surface of software
Yaacoub et al. Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations
Alghamdi Digital forensics in cyber security—recent trends, threats, and opportunities
CN113422771A (en) Threat early warning method and system
US11805152B2 (en) Domain specific language for defending against a threat-actor and adversarial tactics, techniques, and procedures
Yaacoub et al. Digital forensics vs. Anti-digital forensics: Techniques, limitations and recommendations
US20090328210A1 (en) Chain of events tracking with data tainting for automated security feedback
US11805147B2 (en) Domain-specific language simulant for simulating a threat-actor and adversarial tactics, techniques, and procedures
Sheeraz et al. Effective security monitoring using efficient SIEM architecture
Gunawan et al. On the review and setup of security audit using Kali Linux
US10958686B2 (en) Domain specific language for threat-actor deception
Al Shibani et al. Automated Threat Hunting Using ELK Stack-A Case Study
Masarweh et al. Threat led advanced persistent threat penetration test
Khan Multi-agent based forensic analysis framework for infrastructures involving storage networks
Bhushan et al. An overview on handling anti forensic issues in android devices using forensic automator tool
WO2020190294A1 (en) Security personnel training using automatic log creation resulting from white hacking
US20200382552A1 (en) Replayable hacktraps for intruder capture with reduced impact on false positives
WO2020190296A1 (en) Modified security logs for security personnel training
Sharma et al. Next-generation Digital Forensics Challenges and Evidence Preservation Framework for IoT Devices.
Anitha Network Security using Linux Intrusion Detection System
Jayasekara Security operations & incident management: Case study analysis

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19920618

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19920618

Country of ref document: EP

Kind code of ref document: A1