An Integrated Cyber Threat Hunting Program Applying Machine Learning for Enhanced Intelligence Capabilities

  • Joshua Richards

    Student thesis: Master's Thesis

    Abstract

    This project entails the creation of a simplified event log filterer that can be used by new threat hunters to the field of threat intelligence. The event log filterer employs three filtering options that allow the threat hunter to analyse application, system, security and Sysmon logs, which are the most common logs used for hunting for threats. This tool was created to allow new users to get to grips with threat hunting without the need go through the hundreds of unnecessary logs that Windows Event Viewer collects and displays and the array of options that may seem overwhelming to those starting out in this field. The tool also analyses Sysmon logs using anomaly spike detection machine learning to highlight any logs that may be anomalous and should be investigated further. The idea of this is to allow the new threat hunter to pinpoint which Sysmon logs require attention, whereas the conventional Windows Event Viewer approach does not afford this anomaly detection and is a laborious task to sift through all the logs looking for anomalies, which is difficult for experienced hunters, let alone novices.
    Date of AwardSept 2021
    Original languageEnglish
    SupervisorRichard Ward (Supervisor)

    Keywords

    • Anomaly
    • Events
    • Detection
    • Logs
    • Machine Learning
    • Threat Hunting

    Cite this

    '