| Abstrakt: |
In the rapidly evolving landscape of cybersecurity, Endpoint Detection and Response (EDR) systems have emerged as a critical advancement in cybersecurity, providing organizations with enhanced capabilities to detect, investigate, and mitigate sophisticated attacks. The open-source EDR platform Wazuh is specifically highlighted as an attractive option for organizations and provides comprehensive security monitoring, threat detection, and incident response capabilities without the burden of licensing costs. A critical component of the Wazuh system is its rules set, which are predefined or custom-written conditions that analyze log data and system events to identify potential security threats, anomalies, or policy violations. These rules, typically written in XML format, form the core of Wazuh's threat detection capabilities. However, in complex architectures, the set of rules can be challenging to understand and update, and different rules can overlap, preempt, or cancel each other. To address this issue, we propose to model Wazuh rules as Weighted Timed Automata, which helps to verify that rules are well-triggered by verifying the reachability of the corresponding state in the automaton using the model checker Uppaal. [ABSTRACT FROM AUTHOR] |
