Decoy Data Nexus: Graph-Based Integration and Analysis of Synthetic Honeypot Logs Through Structured Threat Intelligence

Authors

  • Sai Yeswanth Maturi

DOI:

https://doi.org/10.22399/ijcesen.5010

Keywords:

Honeypot systems, Structured Threat Information Expression (STIX), Cyber Threat Intelligence (CTI), Graph databases, Neo4j, Attack graph analysis

Abstract

In the evolving cyber threat landscape, comprehensive understanding and timely analysis of attack vectors are critical for effective defense. This paper introduces a novel approach to simulate, transform, and integrate synthetic honeypot logs into a graph database using the Structured Threat Information Expression (STIX) data model. Leveraging Neo4j’s graph capabilities, we convert voluminous, complex attack data into interconnected threat intelligence objects, facilitating the visualization and exploration of intricate attack graphs. By employing Python-driven automation for log generation and STIX transformation, challenges concerning data compatibility, nested property flattening, and cybersecurity compliance are addressed. The resultant graph-based threat intelligence framework provides a scalable and standardized platform empowering Security Operations Centers (SOCs) with enhanced situational awareness and decision-making support, paving the way for improved cybersecurity posture and collaborative defense strategies.

References

[1] M. Nawrocki, M. Wählisch, T. Schmidt, and C. Keil, “Survey on honeypot software and data analysis,”IEEE Communications Surveys & Tutorials, vol. 18, no. 4, pp. 2527–2550, 2016.

[2] N. Kheir, S. Wolthusen, and J. Debar, “A survey of cyber deception and honeypot techniques for threat intelligence,”IEEE Communications Surveys & Tutorials, vol. 22, no. 4, pp. 2765–2795, 2020.

[3] C. Tankard, “Advanced persistent threats and how to monitor and deter them,”Network Security, vol. 2011, no. 8, pp. 16–19, 2011.

[4] F. Ikumenisan and S. Morgan, “Visual analytics of honeypot data: A systematic literature review,”

IEEE Access, vol. 10, pp. 55 542–55 560, 2022.

[5] M. Sadique, S. A. Shaikh, R. Abdulgani, and Y. Tan, “Automated STIX generation from unstructured security logs for threat intelligence sharing,” IEEE Access, vol. 6, pp. 59 326–59 338, 2018.

[6] M. Sadique and R. Abdulgani, “Automated structured threat information expression (STIX) generation for threat intelligence exchange,” in Proceedings of the IEEE International Conference on Big Data Security on Cloud, 2018, pp. 115–122.

[7] J. Böhm, M. Mildebrath, and H. D. Schotten, “KAVAS: Visual analytics for structured threat intelligence using graph-based STIX representation,” in Proceedings of the IEEE International Conference on Intelligence and Security Informatics, 2018, pp. 41–48.

[8] M. Sarhan, S. Al-Saba, and H. Khater, “Open-CyKG: Constructing cybersecurity knowledge graphs from APT reports,” Computers & Security, vol. 104, p. 102181, 2021.

[9] A. Piplai, S. Mittal, A. Joshi, and T. Finin, “Knowledge graph based cyber threat intelligence: A survey,” IEEE Access, vol. 9, pp. 118 911–118 934, 2021.

[10] P. Mittal, A. Joshi, and K. Joshi, “Ontology-driven threat intelligence integration for cyber defense systems,” Journal of Information Security and Applications, vol. 58, p. 102748, 2021.

[11] L. Sikos and M. Oravec, “A survey of cybersecurity knowledge graphs: Methods, tools, and applications,” IEEE Access, vol. 11, pp. 99 924–99 951, 2023.

[12] H. Xu, L. Wang, and Y. Zhang, “Graph mining approaches for cybersecurity: A systematic review,” ACM Computing Surveys, vol. 56, no. 4, pp. 1–32, 2023.

[13] E. Pelofske, A. Moore, and M. Neumann, “Building a Neo4j-based OSINT graph for threat correlation and incident response,” Journal of Information Security and Applications, vol. 75, p. 103502, 2023.

[14] J. Li, X. Fang, K. Zhang, and Y. Tang, “AttaCKG: Constructing attack technique knowledge graphs from cyber threat intelligence reports,” Computers & Security, vol. 106, p. 102302, 2021.

[15] M. Zhang, P. Liu, and C. Xu, “LogKernel: Provenance graph mining for threat hunting in large-scale systems,” in Proceedings of the IEEE Conference on Dependable Systems and Networks, 2022, pp. 87–96.

[16] A. Kordy, P. Kordy, and S. Mauw, “Attack–defense graphs for cybersecurity analysis,” Formal Aspects of Computing, vol. 26, no. 4, pp. 715–744, 2014.

[17] S. Noel and S. Jajodia, “CyGraph: A model-based cyber defense analysis framework,” in Proceedings of the IEEE Military Communications Conference (MILCOM), 2016, pp. 1273–1280.

[18] C. Turner, D. Reed, and L. Howard, “Prodigal: Graph analytics and machine learning for insider threat detection,” in Proceedings of the DARPA Cyber Grand Challenge Symposium, 2019, pp. 101–110.

[19] M. Endert, W. Ribarsky, C. North, and J. Sanyal, “Visual analytics for cybersecurity: A research agenda,” IEEE Computer Graphics and Applications, vol. 34, no. 4, pp. 94–103, 2014.

Downloads

Published

2024-12-30

How to Cite

Maturi, S. Y. (2024). Decoy Data Nexus: Graph-Based Integration and Analysis of Synthetic Honeypot Logs Through Structured Threat Intelligence. International Journal of Computational and Experimental Science and Engineering, 10(4). https://doi.org/10.22399/ijcesen.5010

Issue

Vol. 10 No. 4 (2024): IJCESEN

Section

Research Article

License

Copyright (c) 2024 International Journal of Computational and Experimental Science and Engineering

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.