Friday, January 24, 2025
HomeCyber Security NewsAMIDES - Open-source Detection System to Uncover SIEM Blind Points

AMIDES – Open-source Detection System to Uncover SIEM Blind Points

Published on

SIEM as a Service

Follow Us on Google News

Cyberattacks pose a significant risk, and prevention alone isn’t enough, so timely detection is crucial. That’s why most organizations use SIEM (Security Information and Event Management) systems to centrally collect and analyze security events with expert-written rules for detecting intrusions.

Organizations use SIEM rulesets for intrusion detection, focusing on misuse patterns for known attacks. It’s effective, simple, and aids investigation with detailed alerts.

AMIDES, an open-source Adaptive Misuse Detection System, spots attack-like behavior not caught by SIEM rules.

The following cybersecurity researchers from the respective organizations and universities introduced this new detection system:-

  • Rafael Uetz from Fraunhofer FKIE
  • Marco Herzog from Fraunhofer FKIE
  • Louis Hackländer from Fraunhofer FKIE
  • Simon Schwarz from University of Göttingen
  • Martin Henze from RWTH Aachen University, Fraunhofer FKIE

It uses supervised learning, classifying events based on similarity to known-malicious or known-harmless activity without the need for a manually extensive attack set. Besides this, the AMIDES identifies potential evasion and suggests the likely evaded SIEM rules.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

AMIDES

SIEMs collect data from source systems in Syslog and Windows Event Log format. Due to data volume, automated threat analysis is essential. 

If a threat is detected, a human analyst in a security operations center reviews the alert. Misuse detection, using expert-written rules and signatures, is the primary method for SIEMs to automatically spot malicious activity.

AMIDES process chain (Source - Usenix)
AMIDES process chain (Source – Usenix)

AMIDES enhances SIEM misuse detection in enterprise networks by adding machine learning components to identify rule evasions alongside traditional rule matching.

SIEM events undergo rule matching and feature extraction. The misuse classification component classifies the feature vector as malicious or harmless.

For the training process, this complete system needs the following two key elements:-

  • SIEM rules 
  • Harmless events

It works with existing SIEM rules in organizations using traditional misuse detection, and at the moment, it supports Sigma rules, with potential for Splunk in the future.

This open-source detection system is freely accessible under the GPLv3 license, and it prioritizes performance for large enterprise networks, implemented in Python using:-

  • sklearn
  • numpy

By auto-detecting the SIEM rule evasions, AMIDES reduces network blind spots significantly, but effective detection isn’t enough alone.

This work targets SIEM rule evasions creating critical blind spots in enterprise networks. Analyzing open-source SIEM rules, experts found 110 fully evadable and 19 partially evadable rules out of 292, exposing networks to undetected attacks.

This open-source solution is adaptive for misuse detection, extending rule-based detection to identify evasions and bypassed rules. This approach utilizes existing data, making it convenient for enterprise networks.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Android Kisok Tablets Vulnerability Let Attackers Control AC & Lights

A startling security flaw found in Android-based kiosk tablets at luxury hotels has exposed...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kisok Tablets Vulnerability Let Attackers Control AC & Lights

A startling security flaw found in Android-based kiosk tablets at luxury hotels has exposed...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...