• DocumentCode
    3748351
  • Title

    Parallel and distributed normalization of security events for instant attack analysis

  • Author

    David Jaeger;Andrey Sapegin;Martin Ussath;Feng Cheng;Christoph Meinel

  • Author_Institution
    Hasso Plattner Institute (HPI), University of Potsdam, 14482, Germany
  • fYear
    2015
  • Firstpage
    1
  • Lastpage
    8
  • Abstract
    When looking at media reports nowadays, major security breaches of big companies and governments seem to be a normal situation. An important step for the investigation or even prevention of these breaches is to normalize and analyze security-related log events from various systems in the target network. However, the number of log events produced in big IT landscapes can grow up to multiple billions per day. Current log management solutions, e.g., Security Information and Event Management (SIEM), cannot even closely normalize such huge amounts of data and therefore disable the tracking of attacks in real-time, which means that the log data remains unusable for attack analysis. In this paper, we present an approach to fully normalize event logs in high-speed by making use of established high-performance inter-thread messaging in conjunction with a hierarchical knowledge-base of log formats and parallel processing on multiple low-end systems. Using our approach, we are able to process more than 250,000 events/sec on relatively low-profile machines and can therefore easily handle more than 20 billion events/day, which is enough to handle average and peek loads of log events from big enterprise networks.
  • Keywords
    "Instruction sets","Security","Receivers","Concrete","Companies","Parallel processing","Knowledge based systems"
  • Publisher
    ieee
  • Conference_Titel
    Computing and Communications Conference (IPCCC), 2015 IEEE 34th International Performance
  • Electronic_ISBN
    2374-9628
  • Type

    conf

  • DOI
    10.1109/PCCC.2015.7410270
  • Filename
    7410270