The hottest IBM research lab open source sysflow t

IBM research lab open source sysflow to deal with cloud threats

IBM Research Lab recently announced the release of the open source security toolkit sysflow, which is used to find vulnerabilities in cloud and container environments. Sysflow aims to solve common problems in network protection at present. Modern security monitoring tools can capture system activities with high accuracy and track single events, such as file change operations

this is useful, but it also generates a lot of noise, making it more difficult to detect threats. IBM researchers Frederico Araujo and teryl Taylor said that looking for vulnerabilities in this case is like looking for a needle in a haystack

sysflow reduces the amount of information that the security team must filter. The toolkit can collect operands from a given system. The tensile strength (longitudinal/transverse) of the plastic film is 1 square without impact and vibration source interference; The experimental environment temperature is 20 ± 2 ℃, and the load-bearing capacity data displayed by stretching at a constant experimental speed through the stretching fixture until fracture is obtained, and these data are compressed into a model, which can display the high-level behavior of the system rather than a single event (such as HTTP request), and can also present this localized event, but sysflow will associate it with the relevant behavior patterns, Rather than providing the necessary context for detailed analysis

araujo and Taylor illustrated a vulnerability scenario in a blog post, and the results proved that the toolkit was very convenient. They assume that hackers found a server with vulnerabilities in the corporate network, downloaded malicious scripts to the server, and then invaded the sensitive customer database

the two researchers explained that advanced monitoring tools can only capture the disconnected event flow, but sysflow can connect the entities of each attack step on the system. For example, the highlighted sysflow tracking situation can accurately map every step of the attack killing chain: hijack the process, and then talk to the remote malware server on port 2345. The greater the clamping force generated below, the more malicious scripts are loaded and executed

sysflow can not only help the security team find threats, but also save hardware resources in the process. According to IBM, compared with traditional tools, the toolkit reduces the security data collection rate by an order of magnitude

sysflow has a built-in rule engine, which can be customized to automatically discover suspicious events. In addition to loopholes, the toolkit can also detect violations of regulations, such as keeping financial records in inappropriate places. When higher granularity detection is required, the security team can program their custom threat identification algorithm into sysflow

ibm believes that this platform can be used with other open source tools. Sysflow's open serialization format and library support integration with open source frameworks (such as spark, scikit learn) and custom analysis microservices, as Araujo and Taylor wrote in their blog

sysflow can convert the original system data into high-level view of malicious behavior, which can also be provided by other solutions. At present, several security protection manufacturers (including the newly financed start-up cyber? Asia) have provided commercial investigation tools to track the path of attackers attacking the corporate network. However, IBM provides sysflow free of charge in the form of open source, which will make sysflow occupy a special position in the security tool ecosystem