WO2020190296A1

WO2020190296A1 - Modified security logs for security personnel training

Info

Publication number: WO2020190296A1
Application number: PCT/US2019/023308
Authority: WO
Inventors: Shmuel Ur; Ran LEHR; Vlad Grigore DABIJA; Or ZILBERMAN
Original assignee: Xinova, LLC
Priority date: 2019-03-21
Filing date: 2019-03-21
Publication date: 2020-09-24

Abstract

Technologies are generally described for modification of security logs to train security personnel. In some examples, known attacks such as real or white hacker attacks may be analyzed, and log events generated from such attacks may be inserted into security logs of a protected network according to a random or predefined combination scheme. To further enhance security training, the log events may be altered through mutation and/or crossover operations. The combined security logs may be provided to a security personnel in training with the inserted log events marked, but the marking undetectable to the security personnel in training.

Description

MODIFIED SECURITY LOGS FOR SECURITY PERSONNEL TRAINING

BACKGROUND

[0001] Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.

[0002] A cyber-attack is any type of offensive action that targets computer information systems, infrastructures, computer networks or personal computer devices, using various methods to steal, alter, or destroy data or information systems. In today’s highly networked and computerized environment, a large number of systems deal with an even larger number of threats every day. As the types and severity of cyber-attacks increases, variety and complexity of solutions increases too making it more difficult for some systems to protect themselves.

[0003] One of the first lines of defense against cyber-attacks is detecting an attack as it happens. An entire industry is dedicated to monitoring events happening in organizations and finding suspicious ones. A typical approach includes monitoring logs of events and finding suspicious behavior. In a common flow of actions, logs of events may be collected. The logs may be very large, and therefore, generally not machine readable. A number of different tools may be employed to analyze the logs and generate a summary for a security personnel to review. Even if redundant and/or irrelevant data is removed in the summary, insufficiently trained security personnel may miss signs of an attack among the large amount of data they typically review.

SUMMARY

[0004] The present disclosure generally describes techniques for modification of security logs to train security personnel.

[0005] According to some examples, a method for modification of security logs to train security personnel is described. The method may include receiving a plurality of security logs and an attack log, merging the plurality of security logs with the attack log to generate combined logs, and marking one or more portions of the combined logs to indicate one or more locations of the attack log within the combined logs. The method may also include providing the combined logs for security personnel in training, where the marked one or more portions of the combined logs are undetectable to the security personnel in training, and receiving information associated with whether or not the marked one or more portions of the combined logs are identified by the security personnel in training.

[0006] According to other examples, a computing device to modify security logs to train security personnel is described. The computing device may include a communication device configured to communicate with a plurality of components of a protected network, a memory configured to store instructions, and a processor coupled to the communication device and the memory. The processor, in conjunction with the instructions stored on the memory, may be configured to receive a plurality of security logs; receive one or more log events associated with one or more of a real attack, a fake attack, or a white hacker attack directed to the protected network; insert the received one or more log events into the plurality of security logs to generate combined logs; and mark one or more portions of the combined logs to indicate locations of the inserted one or more log events within the combined logs. The processor may also be configured to provide the combined logs for the security training, where the marked one or more portions of the combined logs are undetectable to a security personnel in training, and receive information associated with whether or not the marked one or more portions of the combined logs are identified by the security personnel in training.

[0007] According to further examples, a system to modify security logs to train security personnel is described. The system may include a first protected network component, a second protected network component, and a third protected network component. The first protected network component may be configured to generate a plurality of security logs. The second protected network component may receive the plurality of security logs from the first protected network component; receive one or more log events associated with one or more of a real attack, a fake attack, or a white hacker attack; insert the received one or more log events into the plurality of security logs to generate combined logs; and mark one or more portions of the combined logs to indicate locations of the inserted one or more log events within the combined logs. The third protected network component may be configured to receive the combined logs from the second protected network component; provide the combined logs to a security personnel in training, where the marked one or more portions of the combined logs are undetectable to the security personnel in training; and receive information associated with whether or not the marked one or more portions of the combined logs are identified by the security personnel in training.

[0008] The foregoing summary is illustrative only and is not intended to be in any way limiting. In addition to the illustrative aspects, embodiments, and features described above, further aspects, embodiments, and features will become apparent by reference to the drawings and the following detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

[0009] The foregoing and other features of this disclosure will become more fully apparent from the following description and appended claims, taken in conjunction with the

accompanying drawings. Understanding that these drawings depict only several embodiments in accordance with the disclosure and are, therefore, not to be considered limiting of its scope, the disclosure will be described with additional specificity and detail through use of the

accompanying drawings, in which:

FIG. 1 includes a conceptual illustration of a protected network where security logs may be modified to train security personnel;

FIG. 2 includes a conceptual illustration of modification of security logs through combination of real, fake, and white hacker attacks to train security personnel;

FIGS. 3A through 3C include conceptual illustrations of different configurations for modification of security logs to train security personnel;

FIG. 4 includes an illustration of three example modification approaches for security logs to train security personnel;

FIG. 5 illustrates a computing device, which may be used to manage modification of security logs to train security personnel;

FIG. 6 is a flow diagram illustrating an example method for modification of security logs to train security personnel that may be performed by a computing device such as the computing device in FIG. 5; and

FIG. 7 illustrates a block diagram of an example computer program product,

some of which are arranged in accordance with at least some embodiments described herein. DETAILED DESCRIPTION

[0010] In the following detailed description, reference is made to the accompanying drawings, which form a part hereof. In the drawings, similar symbols typically identify similar components, unless context dictates otherwise. The illustrative embodiments described in the detailed description, drawings, and claims are not meant to be limiting. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented herein. The aspects of the present disclosure, as generally described herein, and illustrated in the Figures, can be arranged, substituted, combined, separated, and designed in a wide variety of different configurations, all of which are explicitly contemplated herein.

[0011] This disclosure is generally drawn, inter alia , to methods, apparatus, systems, devices, and/or computer program products related to modification of security logs to train security personnel.

[0012] Briefly stated, technologies are generally described for modification of security logs to train security personnel. In some examples, known attacks such as real or white hacker attacks may be analyzed, and log events generated from such attacks may be inserted into security logs of a protected network according to a random or predefined combination scheme. To further enhance security training, the log events may be altered through mutation and/or crossover operations. The combined security logs may be provided to a security personnel in training with the inserted log events marked, but the marking undetectable to the security personnel in training.

[0013] FIG. 1 includes a conceptual illustration of a protected network where security logs may be modified to train security personnel, in accordance with at least some embodiments described herein.

[0014] Diagram 100 shows an example protected network with example components. Networks (or computer systems) may be of any size and include a variety of types and numbers of components including sub-networks. The example protected network in diagram 100 may communicate with other networks and devices represented by external networks 102 through a switch 104. A firewall device 106 may provide first line of protection for the protected network against external attacks. The protected network may include a number of generic or special purpose components such as server 108, router 110, bridge 112, and sub-network 120. Server 114, computer 116, printer 118, and similar devices may be connected to the protected network through sub-network 120. Other example components may include server farm 124, database server 122, wireless bridge 126, and user devices 130, which may connect to the protected network wirelessly (128) through the wireless bridge 126.

[0015] An administrative server 132 may be configured to manage security operations detecting events and data exchanges through the external networks 102, switch 104, and firewall 106. The administrative server 132 may employ various threat detection tools 134 and also provide logs to a security personnel 138 for training. The security personnel 138 may connect to the administrative server 132 through a computing device 136 to oversee the security operations, analyze reports, and perform other tasks. When an attack 101 is launched against the protected network, it may take many different forms and affect different components. In a system according to embodiments, the administrative server 132 may capture one or more activities associated with the attack 101, generate one or more log events from the captured one or more activities, and combine the generated one or more log events with a plurality of security logs (e.g., normal security operation logs). The combined logs may be used for training of the security personnel 138 such that the security personnel 138 is capable of reviewing the combined logs to identify and tag the one or more log events associated with the attack 101. An identification of the attack 101 may be received from the security personnel 138 and the identification of the attack 101 may be confirmed as correct by comparing tagged log events by the security personnel 138 to the generated one or more log events.

[0016] A typical approach in defending an organization against cyber-attacks includes monitoring logs of events and finding suspicious behavior. In a common flow of actions, activities may be collected, and log events generated from the captured activities. The logs may be very large, and therefore, generally not machine readable. A number of different tools may be employed to analyze the logs and generate a summary for a security personnel to review. Even if redundant and/or irrelevant data is removed in the summary, an efficiency of security personnel in detecting attacks can be increased through education and repeated training. The higher number of logs associated with attacks and higher variety of logs a security personnel is exposed to, the higher is the likelihood they may catch the next attack.

[0017] To enhance a number, a variety, and/or a complexity of log events associated with attacks for security training purposes, security logs generated in due course may be modified. To modify security logs for training security personnel, security logs of a protected network may be received along with one or more log events associated with a real attack, a fake attack, and/or a white hacker attack. The received log events may be inserted into the security logs according to a random or predefined combination scheme to generate combined logs. One or more portions of the combined logs may be marked to indicate locations of the inserted log events within the combined logs. The combined logs may be provided to a human security personnel in training or an attack detection AI module with the marked portions of the combined logs being undetectable to the security personnel in training or AI module. Information associated with whether or not the marked one or more portions of the combined logs are identified by the security personnel in training or the AI module may be received by the system.

[0018] In some examples, the training may include testing of the threat detection tools. For example, employed threat detection tool(s) may flag detected attacks (or log portions associated with an attack), but the security personnel in training may review the entire summarized logs. If the security personnel detects an unflagged attack or misflagged attack, they may indicate that such that the employed threat detection tool(s) can be modified (i.e., replaced with a different threat detection tool or settings of the employed threat detection tool changed). Thus, a system according to embodiments may also be used to enhance capabilities of threat detection tools and/or enhanced selection of threat detection tools for specific environments in addition to training security personnel.

[0019] Various components of the example protected network may communicate over wired or wireless links in a number of topographic configurations. Any number of

communication and security protocols may be employed for parts of or the entire protected network. Some components may be purely hardware, other components may be implemented as purely software. Yet other components may be embodied as a combination of hardware and software. The example components and configurations described herein are for illustration purposes only and are not intended to provide limitation on embodiments.

[0020] FIG. 2 includes a conceptual illustration of modification of security logs through combination of real, fake, and white hacker attacks to train security personnel, arranged in accordance with at least some embodiments described herein.

[0021] Diagram 200 shows how different sources can be combined to create training material for a security personnel 230. A security monitoring system 202 may generate logs 204 from monitored security operations such as activities associated with a protected network. The logs 204 may also include logs 206 of real attacks. Fake attack logs 220 may be generated through a fake attack log generation process 218 from old real attacks 212, white hacker attacks 214, and fake attacks 216. The fake attack logs 220 may be combined with the logs 204 resulting in merged logs 222. In an example configuration, the merged logs 222 may include intermixed real attack logs 225 and fake attack logs 224. In some examples, the fake attack logs 224 in the merged logs 222 may be marked in an invisible manner to the security personnel 230 for a more realistic training. The security monitoring system 202 may simply compare logs tagged by the security personnel 230 with the marked logs and confirm accuracy of the security personnel’s identification of attacks. The merged logs may be processed, for example, summarized 226, and the summary of the merged logs 228 may be provided for the security personnel 230 for training.

[0022] To generate the merged logs 222, portions of the fake attack logs may be inserted into the logs 204 in a random fashion or according to a predefined scheme (e.g., one fake attack log event between 10 regular log events, etc.). Portions of the fake attack logs may be inserted into the logs 204 while the logs 204 are being generated or after the logs 204 have been generated. The fake attack log generation 218 may include modification of logs from old real attacks or white hacker attacks using crossover or mutation operations as explained in further detail below.

[0023] Attacks that may be encountered by the protected network may include a denial-of- service (DoS) attack, a distributed denial-of-service (DDoS) attack, a man-in-the-middle (MitM) attack, a phishing attack, a spear phishing attack, a drive-by attack, a password attack, a sequential query language (SQL) injection attack, a cross-site scripting (XSS) attack, an eavesdropping attack, a birthday attack, a malware attack, or similar ones directed to the protected network.

[0024] An event processing (“summarizing”) application that monitors attacks and outputs a human readable summary (e.g., text, graphs, etc.) for the security personnel to review may secretly mark any event created from log events associated with the fake attacks. The secret marks may not be visible, at first, to the security personnel. Thus, the security personnel may review a unified system of real data combined with the fake attack data. This way, the security personnel may be trained on finding attacks, while still being able to identify whether each event or log is real or not. [0025] FIGS. 3A through 3C include conceptual illustrations of different configurations for modification of security logs to train security personnel, arranged in accordance with at least some embodiments described herein.

[0026] In the example configuration of diagram 300A of FIG. 3 A, an administrative server 304 may detect activities associated with security operations (e.g., access demands, data operations, etc.) for a protected system 302 and generate logs (real logs 306) from detected activities. A server 318 may receive logs associated with old real attacks 312, white hacker attacks 314, and fake attacks 316, and merge those logs with the real logs 306. The fake attack logs 316 may be generated through crossover and/or mutation operations executed on the old real attack logs and white hacker attack logs. The fake attack logs may be generated by the server 318 or by a different server. The logs may be merged according to a random or predefined

combination scheme as discussed previously. The server 318 may provide the merged logs 322 to a training server 330, which may provide the merged logs to a security personnel 338 through a client device 336, for example. The training server 330 may also detect (and confirm) identification of invisibly marked fake attack log events by the security personnel and provide feedback to the administrative server 304 or another server.

[0027] In some examples, the fake attack logs may be generated by executing a script to modify one or more portions of the old real attack logs and/or white hacker attack logs. One or more dynamic attributes within the script may be replaced with a parameter and a value of the parameter may be inserted upon combination of the fake attack logs with the real logs.

[0028] In other examples, the merged logs may be summarized before being provided for security training by identifying one or more portions of the merged logs as irrelevant for the training of the security personnel and removing the one or more portions identified as irrelevant for the training of the security personnel. Alternatively, the fake attack logs may be summarized before being combined with the real logs by identifying one or more portions of the fake attack logs as irrelevant for the training of the security personnel and removing the one or more portions identified as irrelevant for the training of the security personnel. The summarized merged logs and the summarized fake attack logs may then be provided to the security personnel.

[0029] In the example configuration of diagram 300B of FIG. 3B, an administrative server 348 may perform security monitoring operations, log generation, and combination of real logs 306 with logs associated with old real attacks 312, white hacker attacks 314, and/or fake attacks 316. The administrative server 348 may provide the merged logs 322 to the training server 330, which may provide the merged logs to a security personnel 338 through a client device 336, for example. The training server 330 may also detect (and confirm) identification of invisibly marked fake attack log events by the security personnel and provide feedback to the

administrative server 348 or another server.

[0030] In yet other examples, one or more options for actions to be performed may be provided to the security personnel upon detection of an attack by the security personnel from the provided merged logs. As mentioned previously, the security training may be provided for a human security personnel or an attack detection artificial intelligence (AI) module. Server 348 performing one or more of the actions described herein may be a component of a protected network that generates the real logs (as shown in the figure). The actions may also be performed by a computing device such as a server outside of the protected network or a server configured to manage the security training (e.g., training server 330). The computing device performing the actions may be a server, a router, a firewall device, a desktop computer, a vehicle mount computer, a laptop computer, or a special purpose network device.

[0031] In the example configuration of diagram 300C of FIG. 3C, the above discussed tasks of managing security operations; monitoring activities associated with the protected system 302; generation of real logs 306 and logs associated with old real attacks 312, white hacker attacks 314, or fake attacks 316; and combination of real logs, old real attack logs, fake attack logs, and white hacker attack logs may be performed by a single administrative server 358. The administrative server 358 may also provide the merged logs 322 to the security personnel 338 for training through a client device 336.

[0032] The protected system may include any software, firmware, or middleware executed by any component of the protected system, operating systems, as well as hardware components such as a router, a server, a firewall device, a peripheral device, a storage device, an internal network, a desktop computer, a laptop computer, a wearable computer, a vehicle mount computer, or a tablet device within the protected system.

[0033] FIG. 4 includes an illustration of three example modification approaches for security logs to train security personnel, arranged in accordance with at least some embodiments described herein. [0034] According to some embodiments, log events associated with a fake attack to train a security personnel may be generated based on modification of one or more log events associated with a real attack or a white hacker attack. The modification may be through a crossover operation and/or a mutation operation. Diagram 400A in FIG. 4 shows an illustration of an example crossover operation, where a portion of log events (components) 402 of one attack are intermixed with a portion of log events 404 of another attack through a crossover operation 406 resulting in log events 408 of a newly generated fake attack.

[0035] Diagram 400B shows an illustration of an example mutation operation, where a portion of log events (components) 412 of an attack are modified through a mutation operation 414 resulting in a newly generated fake attack with some of the log events 416 being unchanged (original) and some log events 418 being modified.

[0036] Diagram 400C shows an illustration of an example combination operation, where a portion of log events 422 of one attack are intermixed with a portion of log events 424 of another attack through a crossover operation resulting in log events 426 of a new fake attack with modified components 428. Then, a portion of the log events 426 (e.g., log events 428) may be modified through a mutation operation resulting in newly generated fake attack log events 432 with modified log events 434 and 436.

[0037] In the mutation operation, modification (or altering) of log events may include modification of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, a requested operation type, a date, and a time. In some examples, the original attack(s) (real or white hacker attack) may be analyzed first, and the crossover and/or mutation operations may be performed based on the analysis. In other examples, a genetic algorithm may be employed to ensure the newly generated fake attack is realistic. A genetic algorithm is configured to solve both constrained and unconstrained optimization problems based on natural selection, the process that drives biological evolution. The genetic algorithm repeatedly modifies a population of individual solutions. The

modifications may be performed at a device or application, where the logs are generated (e.g., a router, a server). Alternatively, the modifications may be performed on a separate server and provided to the server managing training to combine them with real logs. In further examples, the modifications may also be performed at a client device such as a training terminal, where the logs are presented to the security personnel for reviewing. [0038] FIG. 5 illustrates a computing device, which may be used to manage modification of security logs to train security personnel, arranged in accordance with at least some embodiments described herein.

[0039] In an example basic configuration 502, the computing device 500 may include one or more processors 504 and a system memory 506. A memory bus 508 may be used to communicate between the processor 504 and the system memory 506. The basic configuration 502 is illustrated in FIG. 5 by those components within the inner dashed line.

[0040] Depending on the desired configuration, the processor 504 may be of any type, including but not limited to a microprocessor (mR), a microcontroller (pC), a digital signal processor (DSP), or any combination thereof. The processor 504 may include one or more levels of caching, such as a cache memory 512, a processor core 514, and registers 516. The example processor core 514 may include an arithmetic logic unit (ALU), a floating point unit (FPU), a digital signal processing core (DSP core), or any combination thereof. An example memory controller 518 may also be used with the processor 504, or in some implementations, the memory controller 518 may be an internal part of the processor 504.

[0041] Depending on the desired configuration, the system memory 506 may be of any type including but not limited to volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.) or any combination thereof. The system memory 506 may include an operating system 520, a security management application 522, and program data 524. The security management application 522 may include a training management module 526. The training management module 526, in conjunction with the security management application 522 may be configured to modify security logs to train security personnel by receiving security logs of a protected network along with one or more log events associated with a real attack, a fake attack, and/or a white hacker attack. The received log events may be inserted into the security logs according to a random or predefined combination scheme to generate combined logs. One or more portions of the combined logs may be marked to indicate locations of the inserted log events within the combined logs. The combined logs may be provided to a human security personnel in training or an attack detection AI engine with the marked portions of the combined logs being undetectable to the security personnel in training or AI engine. Information associated with whether or not the marked one or more portions of the combined logs are identified by the security personnel in training or the AI engine may be received by the training management module 526. The program data 524 may include attack logs 528 such as a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, a permission modification, etc., among other data, as described herein.

[0042] The computing device 500 may have additional features or functionality, and additional interfaces to facilitate communications between the basic configuration 502 and any desired devices and interfaces. For example, a bus/interface controller 530 may be used to facilitate communications between the basic configuration 502 and one or more data storage devices 532 via a storage interface bus 534. The data storage devices 532 may be one or more removable storage devices 536, one or more non-removable storage devices 538, or a combination thereof. Examples of the removable storage and the non-removable storage devices include magnetic disk devices such as flexible disk drives and hard-disk drives (HDDs), optical disk drives such as compact disc (CD) drives or digital versatile disk (DVD) drives, solid state drives (SSDs), and tape drives to name a few. Example computer storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data.

[0043] The system memory 506, the removable storage devices 536 and the non-removable storage devices 538 are examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD- ROM, digital versatile disks (DVDs), solid state drives (SSDs), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which may be used to store the desired information and which may be accessed by the computing device 500. Any such computer storage media may be part of the computing device 500.

[0044] The computing device 500 may also include an interface bus 540 for facilitating communication from various interface devices (e.g., one or more output devices 542, one or more peripheral interfaces 550, and one or more communication devices 560) to the basic configuration 502 via the bus/interface controller 530. Some of the example output devices 542 include a graphics processing unit 544 and an audio processing unit 546, which may be configured to communicate to various external devices such as a display or speakers via one or more A/V ports 548. One or more example peripheral interfaces 550 may include a serial interface controller 554 or a parallel interface controller 556, which may be configured to communicate with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, touch input device, etc.) or other peripheral devices (e.g., printer, scanner, etc.) via one or more I/O ports 558. An example communication device 560 includes a network controller 562, which may be arranged to facilitate communications with one or more other computing devices 566 over a network communication link via one or more communication ports 564. The one or more other computing devices 566 may include servers at a datacenter, customer equipment, and comparable devices.

[0045] The network communication link may be one example of a communication media. Communication media may be embodied by computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and may include any information delivery media. A“modulated data signal” may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media may include wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency (RF), microwave, infrared (IR) and other wireless media. The term computer readable media as used herein may include non- transitory storage media.

[0046] The computing device 500 may be implemented as a part of a specialized server, mainframe, or similar computer that includes any of the above functions. The computing device 500 may also be implemented as a personal computer including both laptop computer and non laptop computer configurations.

[0047] FIG. 6 is a flow diagram illustrating an example method for modification of security logs to train security personnel that may be performed by a computing device such as the computing device in FIG. 5, arranged in accordance with at least some embodiments described herein.

[0048] Example methods may include one or more operations, functions, or actions as illustrated by one or more of blocks 622, 624, 626, 628, and 630 may in some embodiments be performed by a computing device such as the computing device 500 in FIG. 5. Such operations, functions, or actions in FIG. 6 and in the other figures, in some embodiments, may be combined, eliminated, modified, and/or supplemented with other operations, functions or actions, and need not necessarily be performed in the exact sequence as shown. The operations described in the blocks 622-630 may be implemented through execution of computer-executable instructions stored in a computer-readable medium such as a computer-readable medium 620 of a computing device 610.

[0049] An example process for modification of security logs to train security personnel may begin with block 622,“RECEIVE A PLURALITY OF SECURITY LOGS AND AN ATTACK LOG”, where security logs of a protected network based on detected activities and log events associated with an attack may be received. The captured activities may include one or more of a server activity, a log in attempt, a file access, a file transfer, a download, an upload, a credential modification, or a permission modification. The log events associated with the attack may be part of a fake attack generated from an old real attack and/or a white hacker attack through a mutation operation and/or a crossover operation.

[0050] Block 622 may be followed by block 624,“MERGE THE PLURALITY OF SECURITY LOGS WITH THE ATTACK LOG TO GENERATE COMBINED LOGS”, where log events associated with the fake attack may be inserted into the security logs (real logs) in a random fashion or according to a predefined combination scheme. The fake attack log events may be combined with the security logs as those are being generated based on detected activities or following generation of the security logs.

[0051] Block 624 may be followed by block 626,“MARK ONE OR MORE PORTIONS OF THE COMBINED LOGS TO INDICATE ONE OR MORE LOCATIONS OF THE ATTACK LOG WITHIN THE COMBINED LOGS”, where one or more portions of the combined logs may be marked to indicate locations of the inserted fake attack log events, but the marked one or more portions of the combined logs may be undetectable to the security personnel for realistic training.

[0052] Block 626 may be followed by block 628,“PROVIDE THE COMBINED LOGS FOR SECURITY PERSONNEL IN TRAINING, WHERE THE MARKED ONE OR MORE PORTIONS OF THE COMBINED LOGS ARE UNDETECTABLE TO THE SECURITY PERSONNEL IN TRAINING”, where the combined logs (usually summarized version) may be provided to the security personnel for review and training. The security personnel may be expected to tag log events they believe are results of an attack. [0053] Block 628 may be followed by block 630,“RECEIVE INFORMATION ASSOCIATED WITH WHETHER OR NOT THE MARKED ONE OR MORE PORTIONS OF THE COMBINED LOGS ARE IDENTIFIED BY THE SECURITY PERSONNEL IN TRAINING”, where identified log events and/or an identification of the attack may be received from the security personnel in training. In some examples, one or more options for actions to be performed may be provided to the security personnel upon detection of an attack by the security personnel from the provided combined logs.

[0054] The operations included in the above-described process are for illustration purposes. Modification of security logs to train security personnel may be implemented by similar processes with fewer or additional operations, as well as in different order of operations using the principles described herein. The operations described herein may be executed by one or more processors operated on one or more computing devices, one or more processor cores, and/or specialized processing devices, among other examples.

[0055] FIG. 7 illustrates a block diagram of an example computer program product, arranged in accordance with at least some embodiments described herein.

[0056] In some examples, as shown in FIG. 7, a computer program product 700 may include a signal bearing medium 702 that may also include one or more machine readable instructions 704 that, in response to execution by, for example, a processor may provide the functionality described herein. Thus, for example, referring to the processor 504 in FIG. 5, the security management application 522 may perform or control performance of one or more of the tasks shown in FIG. 7 in response to the instructions 704 conveyed to the processor 504 by the signal bearing medium 702 to perform actions associated with the modification of security logs to train security personnel as described herein. Some of those instructions may include, for example, receive a plurality of security logs; receive an attack log; merge the plurality of security logs with the attack log to generate combined logs; mark one or more portions of the combined logs to indicate one or more locations of the attack log within the combined logs; provide the combined logs for security personnel in training, where the marked one or more portions of the combined logs are undetectable to the security personnel in training; and/or receive information associated with whether or not the marked one or more portions of the combined logs are identified by the security personnel in training, according to some embodiments described herein. [0057] In some implementations, the signal bearing medium 702 depicted in FIG. 7 may encompass computer-readable medium 706, such as, but not limited to, a hard disk drive (HDD), a solid state drive (SSD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, memory, and comparable non-transitory computer-readable storage media. In some

implementations, the signal bearing medium 702 may encompass recordable medium 708, such as, but not limited to, memory, read/write (R/W) CDs, R/W DVDs, etc. In some

implementations, the signal bearing medium 702 may encompass communications medium 710, such as, but not limited to, a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.). Thus, for example, the computer program product 700 may be conveyed to one or more modules of the processor 504 by an RF signal bearing medium, where the signal bearing medium 702 is conveyed by the communications medium 710 (e.g., a wireless communications medium conforming with the IEEE 802.11 standard).

[0058] According to some examples, a method for modification of security logs to train security personnel is described. The method may include receiving a plurality of security logs and an attack log, merging the plurality of security logs with the attack log to generate combined logs, and marking one or more portions of the combined logs to indicate one or more locations of the attack log within the combined logs. The method may also include providing the combined logs for security personnel in training, where the marked one or more portions of the combined logs are undetectable to the security personnel in training, and receiving information associated with whether or not the marked one or more portions of the combined logs are identified by the security personnel in training.

[0059] According to other examples, receiving the attack log may include receiving a log associated with one or more of a real attack, a fake attack, or a white hacker attack. Receiving the attack log may also include receiving a log associated with one or more of a real attack, a fake attack, or a white hacker attack; and modifying the received log through one or more of a crossover operation or a mutation operation. Receiving the attack log may further include receiving a log associated with one or more of a real attack, a fake attack, or a white hacker attack; and replacing one or more portions of the received log associated with the real attack or the white hacker attack with one or more other portions of the real attack, the fake attack, or the white hacker attack. Receiving the attack log may also include receiving a log associated with one or more of a real attack, a fake attack, or a white hacker attack; and modifying one or more portions of the received log associated with the real attack, the fake attack, or the white hacker attack.

[0060] According to further examples, receiving the attack log may include receiving a log associated with one or more of a real attack, a fake attack, or a white hacker attack; and modifying the received log by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, a requested operation type, a date, or a time associated with one or more of the real attack, the fake attack, or the white hacker attack. Receiving the attack log may also include receiving a log associated with one or more of a real attack, a fake attack, or a white hacker attack; and modifying the received log associated with the real attack, the fake attack, or the white hacker attack by altering a raw log associated with one or more of the real attack, the fake attack, or the white hacker attack. The method may further include generating a log based on one or more of a random or a predefined combination of modified log portions associated with a real attack, the fake attack, or a white hacker attack. Merging the plurality of security logs with the attack log to generate combined logs may include combining the plurality of security logs with the attack log as the security logs are generated.

[0061] According to some examples, merging the plurality of security logs with the attack log to generate combined logs may include combining the plurality of security logs with the attack log subsequent to generation of the security logs. The method may further include summarizing the combined logs; providing the information associated with whether or not the attack log is detected as feedback to the security personnel in training; or employing a first threat detection tool to analyze the combined logs, and flagging one or more attacks detected by the first threat detection tool in the combined logs. The method may also include receiving information from the security personnel in training associated with a detected attack in the combined logs; and if the detected attack is not among the one or more attacks detected by the first threat detection tool, employing a second threat detection tool to analyze the combined logs. The method may further include receiving information from the security personnel in training associated with a detected attack in the combined logs; if the detected attack is not among the one or more attacks detected by the first threat detection tool, modifying a setting of the first threat detection tool; and employing the modified first threat detection tool to analyze the combined logs.

[0062] According to other examples, a computing device to modify security logs to train security personnel is described. The computing device may include a communication device configured to communicate with a plurality of components of a protected network, a memory configured to store instructions, and a processor coupled to the communication device and the memory. The processor, in conjunction with the instructions stored on the memory, may be configured to receive a plurality of security logs; receive one or more log events associated with one or more of a real attack, a fake attack, or a white hacker attack directed to the protected network; insert the received one or more log events into the plurality of security logs to generate combined logs; and mark one or more portions of the combined logs to indicate locations of the inserted one or more log events within the combined logs. The processor may also be configured to provide the combined logs for the security training, where the marked one or more portions of the combined logs are undetectable to a security personnel in training, and receive information associated with whether or not the marked one or more portions of the combined logs are identified by the security personnel in training.

[0063] According to further examples, the processor may be further configured to generate the one or more log events associated with the fake attack based on modification of the one or more log events associated with the real attack or the white hacker attack; alter the one or more log events associated with the real attack or the white hacker attack through one or more of a crossover operation or a mutation operation to generate the one or more log events associated with the fake attack; alter the one or more log events associated with the real attack or the white hacker attack through replacement of one or more portions of the log events associated with the real attack or the white hacker attack with one or more other portions of the log events of the same one of the real attack or the white hacker attack. The processor may also be configured to alter the one or more log events associated with the real attack or the white hacker attack through modification one or more portions of the log events associated with the real attack or the white hacker attack; or alter the one or more log events associated with the real attack or the white hacker attack through modification of one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, a requested operation type, a date, or a time in the one or more portions of the log events associated with the real attack or the white hacker attack.

[0064] According to some examples, the processor may be further configured to analyze the real attack or the white hacker attack; and alter the one or more log events associated with the real attack or the white hacker attack through one or more of a crossover operation or a mutation operation to generate the one or more log events associated with the fake attack based on the analysis. The processor may also be configured to insert the one or more log events associated with the one or more of the real attack, the fake attack, or the white hacker attack into the plurality of security logs based on one or more of a random or a predefined combination of the one or more log events and the plurality of security logs. The processor may be further configured to generate the combined logs as the plurality of security logs are generated; generate the combined logs subsequent to generation of the plurality of security logs; summarize the combined logs. The processor may also be configured to provide the information associated with whether or not the marked one or more portions of the combined logs are identified as feedback to the security personnel in training. The processor may be further configured to provide the combined logs to an attack detection artificial intelligence (AI) module.

[0065] According to other examples, the computing device may be a component of the protected network that generates the plurality of security logs, a server outside of the protected network, or a server configured to manage security training operations. The processor may be further configured to employ a first threat detection tool to analyze the combined logs; and flag one or more attacks detected by the first threat detection tool in the combined logs. The processor may also be configured to receive information from the security personnel in training associated with a detected attack in the combined logs; and if the detected attack is not among the one or more attacks detected by the first threat detection tool, employ a second threat detection tool to analyze the combined logs. The processor may be further configured to receive information from the security personnel in training associated with a detected attack in the combined logs; if the detected attack is not among the one or more attacks detected by the first threat detection tool, modify a setting of the first threat detection tool; and employ the modified first threat detection tool to analyze the combined logs.

[0066] According to further examples, a system to modify security logs to train security personnel is described. The system may include a first protected network component, a second protected network component, and a third protected network component. The first protected network component may be configured to generate a plurality of security logs. The second protected network component may receive the plurality of security logs from the first protected network component; receive one or more log events associated with one or more of a real attack, a fake attack, or a white hacker attack; insert the received one or more log events into the plurality of security logs to generate combined logs; and mark one or more portions of the combined logs to indicate locations of the inserted one or more log events within the combined logs. The third protected network component may be configured to receive the combined logs from the second protected network component; provide the combined logs to a security personnel in training, where the marked one or more portions of the combined logs are undetectable to the security personnel in training; and receive information associated with whether or not the marked one or more portions of the combined logs are identified by the security personnel in training.

[0067] According to some examples, the third protected network component may be further configured to provide the information associated with whether or not the marked one or more portions of the combined logs are identified as feedback to the first protected network component or the second protected network component. The second protected network component may be further configured to generate the one or more log events associated with the fake attack based on modification of the one or more log events associated with the real attack or the white hacker attack; alter the one or more log events associated with the real attack or the white hacker attack through one or more of a crossover operation or a mutation operation to generate the one or more log events associated with the fake attack; alter the one or more log events associated with the real attack or the white hacker attack through replacement of one or more portions of the log events associated with the real attack or the white hacker attack with one or more other portions of the log events of the same one of the real attack or the white hacker attack; alter the one or more log events associated with the real attack or the white hacker attack through modification one or more portions of the log events associated with the real attack or the white hacker attack; or alter the one or more log events associated with the real attack or the white hacker attack through modification of one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, a requested operation type, a date, or a time in the one or more portions of the log events associated with the real attack or the white hacker attack.

[0068] According to other examples, the second protected network component may be further configured to analyze the real attack or the white hacker attack; and alter the one or more log events associated with the real attack or the white hacker attack through one or more of a crossover operation or a mutation operation to generate the one or more log events associated with the fake attack based on the analysis. The second protected network component may also be configured to insert the one or more log events associated with the one or more of the real attack, the fake attack, or the white hacker attack into the plurality of security logs based on one or more of a random or a predefined combination of the one or more log events and the plurality of security logs. The second protected network component may be further configured to generate the combined logs as the plurality of security logs are generated; generate the combined logs subsequent to generation of the plurality of security logs; or summarize the combined logs. The first protected network component may be further configured to provide the information associated with whether or not the marked one or more portions of the combined logs are identified as feedback to a security personnel or an attack detection artificial intelligence (AI) module. The first protected network component, the second protected network component, or the third protected network component may be a server, a router, a firewall device, a desktop computer, a vehicle mount computer, a laptop computer, or a special purpose network device.

[0069] There are various vehicles by which processes and/or systems and/or other technologies described herein may be affected (e.g., hardware, software, and/or firmware), and the preferred vehicle will vary with the context in which the processes and/or systems and/or other technologies are deployed. For example, if an implementer determines that speed and accuracy are paramount, the implementer may opt for mainly hardware and/or firmware vehicle; if flexibility is paramount, the implementer may opt for mainly software implementation; or, yet again alternatively, the implementer may opt for some combination of hardware, software, and/or firmware.

[0070] The foregoing detailed description has set forth various embodiments of the devices and/or processes via the use of block diagrams, flowcharts, and/or examples. Insofar as such block diagrams, flowcharts, and/or examples contain one or more functions and/or operations, each function and/or operation within such block diagrams, flowcharts, or examples may be implemented, individually and/or collectively, by a wide range of hardware, software, firmware, or virtually any combination thereof. In one embodiment, several portions of the subject matter described herein may be implemented via application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), digital signal processors (DSPs), or other integrated formats. However, t some aspects of the embodiments disclosed herein, in whole or in part, may be equivalently implemented in integrated circuits, as one or more computer programs executing on one or more computers (e.g., as one or more programs executing on one or more computer systems), as one or more programs executing on one or more processors (e.g., as one or more programs executing on one or more microprocessors), as firmware, or as virtually any combination thereof, and that designing the circuitry and/or writing the code for the software and/or firmware are possible in light of this disclosure.

[0071] The present disclosure is not to be limited in terms of the particular embodiments described in this application, which are intended as illustrations of various aspects. Many modifications and variations can be made without departing from its spirit and scope.

Functionally equivalent methods and apparatuses within the scope of the disclosure, in addition to those enumerated herein, are possible from the foregoing descriptions. Such modifications and variations are intended to fall within the scope of the appended claims. The present disclosure is to be limited only by the terms of the appended claims, along with the full scope of equivalents to which such claims are entitled. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting.

[0072] In addition, the mechanisms of the subject matter described herein are capable of being distributed as a program product in a variety of forms, and that an illustrative embodiment of the subject matter described herein applies regardless of the particular type of signal bearing medium used to actually carry out the distribution. Examples of a signal bearing medium include, but are not limited to, the following: a recordable type medium such as a floppy disk, a hard disk drive (HDD), a compact disc (CD), a digital versatile disk (DVD), a digital tape, a computer memory, a solid state drive (SSD), etc.; and a transmission type medium such as a digital and/or an analog communication medium (e.g., a fiber optic cable, a waveguide, a wired communication link, a wireless communication link, etc.).

[0073] It is common within the art to describe devices and/or processes in the fashion set forth herein, and thereafter use engineering practices to integrate such described devices and/or processes into data processing systems. That is, at least a portion of the devices and/or processes described herein may be integrated into a data processing system via a reasonable amount of experimentation. A data processing system may include one or more of a system unit housing, a video display device, a memory such as volatile and non-volatile memory, processors such as microprocessors and digital signal processors, computational entities such as operating systems, drivers, graphical user interfaces, and applications programs, one or more interaction devices, such as a touch pad or screen, and/or control systems including feedback loops and control motors.

[0074] A data processing system may be implemented utilizing any suitable commercially available components, such as those found in data computing/communication and/or network computing/communication systems. The herein described subject matter sometimes illustrates different components contained within, or connected with, different other components. Such depicted architectures are merely exemplary, and in fact, many other architectures may be implemented which achieve the same functionality. In a conceptual sense, any arrangement of components to achieve the same functionality is effectively "associated" such that the desired functionality is achieved. Hence, any two components herein combined to achieve a particular functionality may be seen as "associated with" each other such that the desired functionality is achieved, irrespective of architectures or intermediate components. Likewise, any two components so associated may also be viewed as being "operably connected", or "operably coupled", to each other to achieve the desired functionality, and any two components capable of being so associated may also be viewed as being "operably couplable", to each other to achieve the desired functionality. Specific examples of operably couplable include but are not limited to physically connectable and/or physically interacting components and/or wirelessly interactable and/or wirelessly interacting components and/or logically interacting and/or logically interactable components.

[0075] With respect to the use of substantially any plural and/or singular terms herein, those having skill in the art can translate from the plural to the singular and/or from the singular to the plural as is appropriate to the context and/or application. The various singular/plural permutations may be expressly set forth herein for sake of clarity.

[0076] In general, terms used herein, and especially in the appended claims (e.g., bodies of the appended claims) are generally intended as“open” terms (e.g., the term“including” should be interpreted as“including but not limited to,” the term“having” should be interpreted as “having at least,” the term“includes” should be interpreted as“includes but is not limited to,” etc.). It will be further understood by those within the art that if a specific number of an introduced claim recitation is intended, such an intent will be explicitly recited in the claim, and in the absence of such recitation, no such intent is present. For example, as an aid to

understanding, the following appended claims may contain usage of the introductory phrases "at least one" and "one or more" to introduce claim recitations. However, the use of such phrases should not be construed to imply that the introduction of a claim recitation by the indefinite articles "a" or "an" limits any particular claim containing such introduced claim recitation to embodiments containing only one such recitation, even when the same claim includes the introductory phrases "one or more" or "at least one" and indefinite articles such as "a" or "an" (e.g.,“a” and/or“an” should be interpreted to mean“at least one” or“one or more”); the same holds true for the use of definite articles used to introduce claim recitations. In addition, even if a specific number of an introduced claim recitation is explicitly recited, those skilled in the art will recognize that such recitation should be interpreted to mean at least the recited number (e.g., the bare recitation of "two recitations," without other modifiers, means at least two recitations, or two or more recitations).

[0077] Furthermore, in those instances where a convention analogous to“at least one of A, B, and C, etc.” is used, in general, such a construction is intended in the sense one having skill in the art would understand the convention (e.g.,“a system having at least one of A, B, and C” would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.). It will be further understood by those within the art that virtually any disjunctive word and/or phrase presenting two or more alternative terms, whether in the description, claims, or drawings, should be understood to contemplate the possibilities of including one of the terms, either of the terms, or both terms. For example, the phrase“A or B” will be understood to include the possibilities of “A” or“B” or“A and B.”

[0078] For any and all purposes, such as in terms of providing a written description, all ranges disclosed herein also encompass any and all possible subranges and combinations of subranges thereof. Any listed range can be easily recognized as sufficiently describing and enabling the same range being broken down into at least equal halves, thirds, quarters, fifths, tenths, etc. As a non-limiting example, each range discussed herein can be readily broken down into a lower third, middle third and upper third, etc. As will also be understood by one skilled in the art all language such as“up to,”“at least,”“greater than,”“less than,” and the like include the number recited and refer to ranges which can be subsequently broken down into subranges as discussed above. Finally, a range includes each individual member. Thus, for example, a group having 1-3 cells refers to groups having 1, 2, or 3 cells. Similarly, a group having 1-5 cells refers to groups having 1, 2, 3, 4, or 5 cells, and so forth.

[0079] While various aspects and embodiments have been disclosed herein, other aspects and embodiments are possible. The various aspects and embodiments disclosed herein are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims.

Claims

CLAIMS WHAT IS CLAIMED IS:

1. A method for modification of security logs to train security personnel, the method comprising:

receiving a plurality of security logs;

receiving an attack log;

merging the plurality of security logs with the attack log to generate combined logs; marking one or more portions of the combined logs to indicate one or more locations of the attack log within the combined logs;

providing the combined logs for security personnel in training, wherein the marked one or more portions of the combined logs are undetectable to the security personnel in training; and receiving information associated with whether or not the marked one or more portions of the combined logs are identified by the security personnel in training.

2. The method of claim 1, wherein receiving the attack log comprises:

receiving a log associated with one or more of a real attack, a fake attack, or a white hacker attack.

3. The method of claim 1, wherein receiving the attack log comprises:

receiving a log associated with one or more of a real attack, a fake attack, or a white hacker attack; and

modifying the received log through one or more of a crossover operation or a mutation operation.

4. The method of claim 1, wherein receiving the attack log comprises:

replacing one or more portions of the received log associated with the real attack or the white hacker attack with one or more other portions of the real attack, the fake attack, or the white hacker attack.

5. The method of claim 1, wherein receiving the attack log comprises:

modifying one or more portions of the received log associated with the real attack, the fake attack, or the white hacker attack.

6. The method of claim 1, wherein receiving the attack log comprises:

modifying the received log by altering one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, a requested operation type, a date, or a time associated with one or more of the real attack, the fake attack, or the white hacker attack.

7. The method of claim 1, wherein receiving the attack log comprises:

modifying the received log associated with the real attack, the fake attack, or the white hacker attack by altering a raw log associated with one or more of the real attack, the fake attack, or the white hacker attack.

8. The method of claim 1, further comprising:

generating a log based on one or more of a random or a predefined combination of modified log portions associated with a real attack, the fake attack, or a white hacker attack.

9. The method of claim 1, wherein merging the plurality of security logs with the attack log to generate combined logs comprises:

combining the plurality of security logs with the attack log as the security logs are generated.

10. The method of claim 1, wherein merging the plurality of security logs with the attack log to generate combined logs comprises:

combining the plurality of security logs with the attack log subsequent to generation of the security logs.

11. The method of claim 1, further comprising:

summarizing the combined logs.

12. The method of claim 1, further comprising:

providing the information associated with whether or not the attack log is detected as feedback to the security personnel in training.

13. The method of claim 1, further comprising:

employing a first threat detection tool to analyze the combined logs; and

flagging one or more attacks detected by the first threat detection tool in the combined logs.

14. The method of claim 13, further comprising:

receiving information from the security personnel in training associated with a detected attack in the combined logs; and

if the detected attack is not among the one or more attacks detected by the first threat detection tool, employing a second threat detection tool to analyze the combined logs.

15. The method of claim 13, further comprising:

receiving information from the security personnel in training associated with a detected attack in the combined logs;

if the detected attack is not among the one or more attacks detected by the first threat detection tool, modifying a setting of the first threat detection tool; and

employing the modified first threat detection tool to analyze the combined logs.

16. A computing device to modify security logs to train security personnel, the computing device comprising:

a communication device configured to communicate with a plurality of components of a protected network;

a memory configured to store instructions; and

a processor coupled to the communication device and the memory, wherein the processor in conjunction with the instructions stored on the memory is configured to:

receive a plurality of security logs;

receive one or more log events associated with one or more of a real attack, a fake attack, or a white hacker attack directed to the protected network;

insert the received one or more log events into the plurality of security logs to generate combined logs;

mark one or more portions of the combined logs to indicate locations of the inserted one or more log events within the combined logs;

provide the combined logs for the security training, wherein the marked one or more portions of the combined logs are undetectable to a security personnel in training; and

receive information associated with whether or not the marked one or more portions of the combined logs are identified by the security personnel in training.

17. The computing device of claim 16, wherein the processor is further configured to:

generate the one or more log events associated with the fake attack based on modification of the one or more log events associated with the real attack or the white hacker attack.

18. The computing device of claim 16, wherein the processor is further configured to:

alter the one or more log events associated with the real attack or the white hacker attack through one or more of a crossover operation or a mutation operation to generate the one or more log events associated with the fake attack.

19. The computing device of claim 16, wherein the processor is further configured to: alter the one or more log events associated with the real attack or the white hacker attack through replacement of one or more portions of the log events associated with the real attack or the white hacker attack with one or more other portions of the log events of the same one of the real attack or the white hacker attack.

20. The computing device of claim 16, wherein the processor is further configured to:

alter the one or more log events associated with the real attack or the white hacker attack through modification one or more portions of the log events associated with the real attack or the white hacker attack.

21. The computing device of claim 16, wherein the processor is further configured to:

alter the one or more log events associated with the real attack or the white hacker attack through modification of one or more of a file name, a server identifier, a target IP address, a source IP address, a geographic location of attack, a requested data type, a requested operation type, a date, or a time in the one or more portions of the log events associated with the real attack or the white hacker attack.

22. The computing device of claim 16, wherein the processor is further configured to:

analyze the real attack or the white hacker attack; and

alter the one or more log events associated with the real attack or the white hacker attack through one or more of a crossover operation or a mutation operation to generate the one or more log events associated with the fake attack based on the analysis.

23. The computing device of claim 16, wherein the processor is further configured to:

insert the one or more log events associated with the one or more of the real attack, the fake attack, or the white hacker attack into the plurality of security logs based on one or more of a random or a predefined combination of the one or more log events and the plurality of security logs.

24. The computing device of claim 16, wherein the processor is further configured to:

generate the combined logs as the plurality of security logs are generated.

25. The computing device of claim 16, wherein the processor is further configured to:

generate the combined logs subsequent to generation of the plurality of security logs.

26. The computing device of claim 16, wherein the processor is further configured to:

summarize the combined logs.

27. The computing device of claim 16, wherein the processor is further configured to:

provide the information associated with whether or not the marked one or more portions of the combined logs are identified as feedback to the security personnel in training.

28. The computing device of claim 16, wherein the processor is further configured to provide the combined logs to an attack detection artificial intelligence (AI) module.

29. The computing device of claim 16, wherein the computing device is a component of the protected network that generates the plurality of security logs.

30. The computing device of claim 16, wherein the computing device is a server outside of the protected network.

31. The computing device of claim 16, wherein the computing device is a server configured to manage security training operations.

32. The computing device of claim 16, wherein the processor is further configured to:

employ a first threat detection tool to analyze the combined logs; and

flag one or more attacks detected by the first threat detection tool in the combined logs.

33. The computing device of claim 32, wherein the processor is further configured to:

receive information from the security personnel in training associated with a detected attack in the combined logs; and if the detected attack is not among the one or more attacks detected by the first threat detection tool, employ a second threat detection tool to analyze the combined logs.

34. The computing device of claim 32, wherein the processor is further configured to:

receive information from the security personnel in training associated with a detected attack in the combined logs;

if the detected attack is not among the one or more attacks detected by the first threat detection tool, modify a setting of the first threat detection tool; and

employ the modified first threat detection tool to analyze the combined logs.

35. A system configured to modify security logs to train security personnel, the system comprising:

a first protected network component configured to:

generate a plurality of security logs;

a second protected network component configured to:

receive the plurality of security logs from the first protected network component; receive one or more log events associated with one or more of a real attack, a fake attack, or a white hacker attack;

insert the received one or more log events into the plurality of security logs to generate combined logs; and

mark one or more portions of the combined logs to indicate locations of the inserted one or more log events within the combined logs; and

a third protected network component configured to:

receive the combined logs from the second protected network component;

provide the combined logs to a security personnel in training, wherein the marked one or more portions of the combined logs are undetectable to the security personnel in training; and

36. The system of claim 35, wherein the third protected network component is further configured to:

provide the information associated with whether or not the marked one or more portions of the combined logs are identified as feedback to the first protected network component or the second protected network component.

37. The system of claim 35, wherein the second protected network component is further configured to:

38. The system of claim 35, wherein the second protected network component is further configured to:

39. The system of claim 35, wherein the second protected network component is further configured to:

alter the one or more log events associated with the real attack or the white hacker attack through replacement of one or more portions of the log events associated with the real attack or the white hacker attack with one or more other portions of the log events of the same one of the real attack or the white hacker attack.

40. The system of claim 35, wherein the second protected network component is further configured to:

41. The system of claim 35, wherein the second protected network component is further configured to:

42. The system of claim 35, wherein the second protected network component is further configured to:

analyze the real attack or the white hacker attack; and

43. The system of claim 35, wherein the second protected network component is further configured to:

44. The system of claim 35, wherein the second protected network component is further configured to:

generate the combined logs as the plurality of security logs are generated.

45. The system of claim 35, wherein the second protected network component is further configured to:

46. The system of claim 35, wherein the second protected network component is further configured to:

summarize the combined logs.

47. The system of claim 35, wherein the first protected network component is further configured to:

provide the information associated with whether or not the marked one or more portions of the combined logs are identified as feedback to a security personnel or an attack detection artificial intelligence (AI) module.

48. The system of claim 35, wherein the first protected network component, the second protected network component, or the third protected network component are one of: a server, a router, a firewall device, a desktop computer, a vehicle mount computer, a laptop computer, and a special purpose network device.