System call auditing made effective with machine learning and selective reporting
System call auditing on production servers has been around for a very long time. Aggregating system call events from Linux’s audit component using auditd daemon has been time tested. However, given the amount of auditd logs that get generated on a daily basis, most of which are routine, administrators go blind to typical priviledge escalation attempts like failed sudo accesses, failed multiple login attempts, unauthorized file access, etc.
When we aggregate system calls from all containers and host level nodes into a central Elasticsearch cluster, drill down into specific attributes like user id, source ip address, offending application, etc and apply machine learning, we can get a lot more insight into security events and can detect and report anomalies more effectively.
Some of the insights that will be demonstrated in this talk:
- How anomaly detection helps drilling down into unlikely trends of failed sudo attempts across the environment based on parameters like user, time, source ip address, etc
- Tracking files being accessed from unlikely applications or users and changes to sensitive file like keys, /etc/passwd, etc.
- Anomaly detection of unlikely network connection trends with regards to source and destination IPs, port numbers, unlikely rise in network connections, etc using various opensource machine learning frameworks.
- User level tracking as to what system calls were made, how many were potential privilege escalation attempts, etc