More Web Proxy on the site http://driver.im/

research-article

A framework for mastering heterogeneity in multi-layer security information and event correlation

Authors:

Luigi Coppolino,

Salvatore D'Antonio,

Valerio Formicola,

Luigi RomanoAuthors Info & Claims

Journal of Systems Architecture: the EUROMICRO Journal, Volume 62, Issue C

Pages 78 - 88

https://doi.org/10.1016/j.sysarc.2015.11.010

Published: 01 January 2016 Publication History

Abstract

We detected limits of SIEM systems while being used to protect critical infrastructures from sophisticated cyberattacks.We developed a new data collection and pre-correlation framework named "GET".GET links physical to logical security and exploits knowledge of the Business Process.The GET framework has been integrated into the open-source SIEM OSSIM.We validated the GET in a dam control system and a mobile phone based payment service. Security Information and Event Management (SIEM) is a consolidated technology that relies on the correlation of massive amounts of security-relevant information in order to detect ongoing attacks and intrusions. This correlation process is usually fed with logs generated by network devices and equipment, thus proving to be ineffective against attacks that affect multiple domains (e.g. physical, logical) or different architectural levels (e.g. network, operating system, application) of a service infrastructure. To bridge the gap, we propose a flexible framework for event collection and correlation, namely the Generic Event Translator, which is able to process heterogeneous data and spot evidence of security issues by using complex event pattern detectors that correlate information from multiple architectural layers and domains of the monitored infrastructure. The framework has been integrated into the open-source SIEM OSSIM, and validated in two challenging case studies, namely a dam infrastructure control system and a mobile phone based payment service. Display Omitted

References

[1]

D.R. Miller, S. Harris, A.A. Harper, S. VanDyke, C. Blask, Security Information and Event Management (SIEM) Implementation, Network Pro Library, McGraw Hill, 2010.

[2]

African Press Organization, (2012) Orange money reaches 4 million customers and launches in Jordan and Mauritius. Online: http://appablog.wordpress.com/2012/06/18/orange-money-reaches-4-million-customers-and-launches-in-jordan-and-mauritius/ (accessed 17.02.15).

[3]

Joyner-Roberson, E. (2011) New payment methods fuel cyber-attacks. Online: http://www.sas.com/sv_se/insights/articles/risk-fraud/new-payment-methods-fuel-cyber-attacks.html (accessed 17.02.15).

[4]

OSSIM SIEM, Online: http://www.alienvault.com/open-threat-exchange/projects (accessed 17.02.15).

[5]

E. Amoroso, Fundamentals of Computer Security, Prentice Hall, Upper Saddle River, 1994.

[6]

W.E. Vesely, F.F. Goldberg, N.H. Roberts, D.F. Haasl, Fault Tree Handbook, Nuclear Regulatory Commission, 1981.

[7]

Java Compiler Compiler, Parser generator. Online: http://javacc.java.net/ (accessed 17.02.15).

[8]

D. Harel, Statecharts: a visual formalism for complex systems, Sci. Comput. Program. (Arch.) (1987) 231-274.

[9]

M. Samek, Practical UML Statecharts in C/C++, Second Edition: Event-Driven Programming for Embedded Systems, Newnes, 2008.

[10]

IETF, BSD syslog protocol, RFC (2007). Online: http://tools.ietf.org/rfc/rfc4765.txt (accessed 17.02.15).

[11]

L. Coppolino, S. D'Antonio, V. Formicola, L. Romano, Integration of a system for critical infrastructure protection with the OSSIM SIEM platform: a dam case study, in: Proceedings of the Thirtieth International Conference on Computer Safety, Reliability and Security, 2011, pp. 199-212.

[12]

C. Gaber, B. Hemery, M. Achemlal, M. Pasquet, P. Urien, Synthetic logs generator for fraud detection in mobile transfer services, in: Proceedings of the International Conference on Collaboration Technologies and Systems (CTS), 2013, 2013, pp. 174-179.

[13]

C. Cortes, D. Pregibon, C. Volinsky, Computational methods for dynamic graphs, J. Comput. Graph. Stat., 12 (2003).

[14]

W. Aiello, C. Kalmanek, P. McDaniel, S. Sen, O. Spatscheck, J. Van der Merwe, Analysis of communities of interest in data networks, in: Passive and Active Network Measurement, 3431, Lecture Notes in Computer Science, Springer Berlin Heidelberg, 2005.

[15]

W.-T. Tsai, Peide Zhong, Xiaoying Bai, J. Elston, Role-based trust model for community of interest, in: Proceedings of IEEE International Conference on Service-Oriented Computing and Applications (SOCA), January 2009, 1, 2009, pp. 14-15.

[16]

John Carney, Why integrate Physical and Logical Security?, Cisco, 2011.

[17]

Yahya Mehdizadeh, Convergence of Logical and Physical Security, SANS, January 11, 2004.

[18]

Karg D., Casal J., Ossim: Open Source Security Information Management. Technical Report, OSSIM, 2008

[19]

Latanya Sweeney, k-anonymity: a model for protecting privacy, Int. J. Uncertain. Fuzziness Knowledge-Based Syst., 10 (2002) 557-570.

Digital Library

[20]

M. Gruteser, D. Grunwald, Anonymous usage of location based services through spatial and temporal cloaking, in: Proceedings of ACM/USENIX MobiSys, 2003.

[21]

Theodore S. Norvell, The JavaCC FAQ¿, ¿http://www.engr.mun.ca/~theo/JavaCC-FAQ/javacc-faq-moz.htm

[22]

Howard Katz, JavaCC, parse trees, and the XQuery grammar, IBM ¿http://www.ibm.com/developerworks/library/x-javacc1.html

[23]

Eitan Suez, "SMC tutorial", http://smc.sourceforge.net/slides/SMC_Tutorial.pdf.

[24]

François Perrad, "State Machine Compiler", http://smc.sourceforge.net/slides/smc.pdf.

[25]

T. Yen, A. Oprea, K. Onarlioglu, T. Leetham, W. Robertson, A. Juels, E. Kirda, Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks, in: Proceedings of the 29th Annual Computer Security Applications Conference ACSAC'13, 2013, pp. 199-208.

Digital Library

[26]

A. Azodi, D. Jaeger, F. Cheng, C. Meinel, Pushing the limits in event normalisation to improve attack detection in IDS/SIEM systems, in: Proceedings of the International Conference on Advanced Cloud and Big Data, 2013, pp. 69-76.

Digital Library

[27]

Deliverable D5.4.2 - OSSIM Integration - MASSIF Project, http://www.massif-project.eu/sites/default/files/deliverables/D5.4.2%20-%20OSSIM%20integration_v1.0_final.pdf, June 2013.

[28]

R.H. Syed, J. Pazardzievska, J. Bourgeois, Fast attack detection using correlation and summarizing of security alerts in grid computing networks', J. Supercomput., 62 (2012) 804-827.

Digital Library

[29]

K. Stroeh, E.R.M. Madeira, S.K. Goldenstein, An approach to the correlation of security events based on machine learning techniques', J. Internet Serv. Appl., 4 (2013) 7.

[30]

J. Myers, M.R. Grimaila, R.F. Mills, Log-based distributed security event detection using simple event correlator, in: Proceedings of the 44th Hawaii International Conference on System Sciences, 2011, pp. 1-7.

Digital Library

Cited By

Larriva-Novo XVega-Barbas MVillagrá VRivera DSanz MÁlvarez-Campana MVolkamer MWressnegger C(2020)Dynamic risk management architecture based on heterogeneous data sources for enhancing the cyber situational awareness in organizationsProceedings of the 15th International Conference on Availability, Reliability and Security10.1145/3407023.3409224(1-9)Online publication date: 25-Aug-2020
https://dl.acm.org/doi/10.1145/3407023.3409224
Leszczyna RWallis TWróbel M(2019)Developing novel solutions to realise the European Energy – Information Sharing & Analysis CentreDecision Support Systems10.1016/j.dss.2019.05.007122:COnline publication date: 1-Jul-2019
https://dl.acm.org/doi/10.1016/j.dss.2019.05.007
Raja MVasudevan A(2017)Rule Generation for TCP SYN Flood attack in SIEM EnvironmentProcedia Computer Science10.1016/j.procs.2017.09.117115:C(580-587)Online publication date: 1-Nov-2017
https://dl.acm.org/doi/10.1016/j.procs.2017.09.117

Recommendations

Security and reliability requirements for advanced security event management
MMM-ACNS'12: Proceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security

This paper addresses security information management in complex application scenarios. Security Information and Event Management (SIEM) systems collect and examine security related events, with the goal of providing a unified view of the monitored ...
Countermeasure Selection in SIEM Systems Based on the Integrated Complex of Security Metrics
PDP '15: Proceedings of the 2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing

The paper considers a technique for countermeasure selection in security information and event management (SIEM) systems. The developed technique is based on the suggested complex of security metrics. For the countermeasure selection the set of security ...
Analyzing Malware Log Data to Support Security Information and Event Management: Some Research Results
DBKDA '09: Proceedings of the 2009 First International Conference on Advances in Databases, Knowledge, and Data Applications

Enterprise information infrastructures are generally characterized by a multitude of information systems which support decision makers in fulfilling their duties. The object of information security management is the protection of these systems, whereas ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Journal of Systems Architecture: the EUROMICRO Journal

Journal of Systems Architecture: the EUROMICRO Journal Volume 62, Issue C

January 2016

88 pages

ISSN:1383-7621

Issue’s Table of Contents

Copyright © Elsevier Ltd.

Publisher

Elsevier North-Holland, Inc.

United States

Publication History

Published: 01 January 2016

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 15 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Larriva-Novo XVega-Barbas MVillagrá VRivera DSanz MÁlvarez-Campana MVolkamer MWressnegger C(2020)Dynamic risk management architecture based on heterogeneous data sources for enhancing the cyber situational awareness in organizationsProceedings of the 15th International Conference on Availability, Reliability and Security10.1145/3407023.3409224(1-9)Online publication date: 25-Aug-2020
https://dl.acm.org/doi/10.1145/3407023.3409224
Leszczyna RWallis TWróbel M(2019)Developing novel solutions to realise the European Energy – Information Sharing & Analysis CentreDecision Support Systems10.1016/j.dss.2019.05.007122:COnline publication date: 1-Jul-2019
https://dl.acm.org/doi/10.1016/j.dss.2019.05.007
Raja MVasudevan A(2017)Rule Generation for TCP SYN Flood attack in SIEM EnvironmentProcedia Computer Science10.1016/j.procs.2017.09.117115:C(580-587)Online publication date: 1-Nov-2017
https://dl.acm.org/doi/10.1016/j.procs.2017.09.117

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents