Cybersecurity-monitoring platforms in large organizations, process growing datasets ranging from terabytes to petabytes for detecting and analyzing cyber-attacks. Developing detections often requires highly selective, high-bandwidth subsets of the data, for example to train and test ML models. To this end, approximate range-filtering is essential for quickly narrowing down relevant data, e.g. to limit relevant activity to a range of TCP or UDP ports, or to examine data transfers between 1 and 100 MiB in more detail. Our prior work introduced an approach for approximate interval-filtering called bloomRF that is online and allows range-filtering of small to large ranges with acceptable accuracy. The main goal of the present project proposal is the integration of bloomRF into the open-source security data platform TENZIR in order to accelerate the analysis and investigation of security incidents and reduce operating costs through more efficient search queries.

DFG Programme Research Grants (Transfer Project)

Application Partner Tenzir GmbH