Most of today's security solutions, such as security information and event management (SIEM) and signature based IDS, require the operator to evaluate potential attack vectors and update detection signatures and rules in a timely manner. However, today's sophisticated and tailored advanced persistent threats (APT), malware, ransomware and rootkits, can be so complex and diverse, and often use zero day exploits, that a pure signature-based blacklisting approach would not be sufficient to detect them. Therefore, we could observe a major paradigm shift towards anomaly-based detection mechanisms, which try to establish a system behavior baseline -- either based on netflow data or system logging data -- and report any deviations from this baseline. While these approaches look promising, they usually suffer from scalability issues. As the amount of log data generated during IT operations is exponentially growing, high-performance analysis methods are required that can handle this huge amount of data in real-time. In this paper, we demonstrate how high-performance bioinformatics tools can be applied to tackle this issue. We investigate their application to log data for outlier detection to timely reveal anomalous system behavior that points to cyber attacks. Finally, we assess the detection capability and run-time performance of the proposed approach.

中文翻译：

---

应用高性能生物信息学工具在日志数据中进行异常检测

当今的大多数安全解决方案，例如安全信息和事件管理（SIEM）和基于签名的IDS，都要求操作员评估潜在的攻击媒介并及时更新检测签名和规则。但是，当今复杂且量身定制的高级持久性威胁（APT），恶意软件，勒索软件和rootkit是如此复杂和多样，并且经常使用零时差漏洞，以至于基于纯签名的黑名单方法不足以检测它们。因此，我们可以观察到主要模式向基于异常的检测机制的转变，该机制试图建立系统行为基准（基于netflow数据或系统日志数据），并报告与该基准的任何偏差。尽管这些方法看起来很有希望，但它们通常会遇到可伸缩性问题。随着IT运营期间生成的日志数据量呈指数级增长，需要一种高性能的分析方法，该方法可以实时处理大量数据。在本文中，我们演示了如何应用高性能生物信息学工具来解决此问题。我们调查他们的应用程序以记录数据以进行异常检测，以及时发现指向网络攻击的异常系统行为。最后，我们评估了该方法的检测能力和运行时性能。我们调查他们的应用程序以记录数据以进行异常检测，以及时发现指向网络攻击的异常系统行为。最后，我们评估了该方法的检测能力和运行时性能。我们调查他们的应用程序以记录数据以进行异常检测，以及时发现指向网络攻击的异常系统行为。最后，我们评估了该方法的检测能力和运行时性能。