Abstract
As industrial control system vulnerabilities and attacks increase, security controls must be applied to operational technologies. The growing demand for security threat monitoring and analysis techniques that integrate information from security logs has resulted in enterprise security management systems giving way to security information and event management systems. Nevertheless, it is vital to implement some form of pre-processing to collect, integrate and analyze security events efficiently. Operators still have to manually check entire security logs or write scripts or parsers that draw on domain knowledge, tasks that are time-consuming and error-prone.
To address these challenges, this chapter focuses on the data-driven mapping of security logs to support the integrated monitoring of operational technology systems. The characteristics of security logs from security appliances used in critical infrastructure assets are analyzed to create a tool that maps different security logs to field categories to support integrated system monitoring. The tool reduces the effort needed by operators to manually process security logs even when the logged data generated by security appliances has new or modified formats.
Chapter PDF
Similar content being viewed by others
References
ArcSight, Common Event Format, Revision 15, ArcSight Technical Note, Cupertino, California, 2009
J. Caballero, P. Poosankam, C. Kreibich and D. Song, Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering, Proceedings of the Sixteenth ACM Conference on Computer and Communications Security, pp. 621–364, 2009
J. Caballero and D. Song, Automatic protocol reverse-engineering: Message format extraction and field semantics inference, Computer Networks, vol. 57(2), pp. 451–474, 2013
J. Caballero, H. Yin, Z. Liang and D. Song, Polyglot: Automatic extraction of protocol message format using dynamic binary analysis, Proceedings of the Fourteenth ACM Conference on Computer and Communications Security, pp. 317–329, 2007
Cisco Systems, Cisco Intrusion Detection Event Exchange (CIDEE) Specification, San Jose, California (www.cisco.com/c/en/us/td/docs/security/ips/specs/CIDEE_Specification.html), 2009
H. Debar, D. Curry and B. Feinstein, The Intrusion Detection Message Exchange Format (IDMEF), RFC 4765, 2007
International Business Machines, IBM QRadar: Log Event Extension Format (LEEF), Version 2, Armonk, New York (www.ibm.com/support/knowledgecenter/SS42VS_DSM/b_Leef_format_guide.pdf), 2016
H. Li, B. Zhang, B. Shuai, J. Wang and C. Tang, Automatic protocol feature word construction based on machine learning, Proceedings of the IEEE International Conference on Progress in Informatics and Computing, pp. 93–97, 2015
National Cybersecurity and Communications Integration Center, ICS-CERT – Year in Review, Department of Homeland Security, Washington, DC (ics-cert.us-cert.gov/Year-Review-2016), 2016
A. Sood, R. Enbody and R. Bansal, Dissecting SpyEye – Understanding the design of third generation botnets, Computer Networks, vol. 57(2), pp. 436–450, 2013
The CEE Board, Common Event Expression, MITRE, McLean, Virginia (cee.mitre.org/docs/Common\_Event\_Expression\_White\_Paper\_June\_2008.pdf), 2008
Z. Wang, X. Jiang, W. Cui, X. Wang and M. Grace, ReFormat: Automatic reverse engineering of encrypted messages, Proceedings of the Fourteenth European Conference on Research in Computer Security, pp. 200–215, 2009
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 IFIP International Federation for Information Processing
About this paper
Cite this paper
Choi, S., Kim, Y., Yun, JH., Min, BG., Kim, HC. (2019). Data-Driven Field Mapping of Security Logs for Integrated Monitoring. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XIII. ICCIP 2019. IFIP Advances in Information and Communication Technology, vol 570. Springer, Cham. https://doi.org/10.1007/978-3-030-34647-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-34647-8_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34646-1
Online ISBN: 978-3-030-34647-8
eBook Packages: Computer ScienceComputer Science (R0)