DocumentCode
3748351
Title
Parallel and distributed normalization of security events for instant attack analysis
Author
David Jaeger;Andrey Sapegin;Martin Ussath;Feng Cheng;Christoph Meinel
Author_Institution
Hasso Plattner Institute (HPI), University of Potsdam, 14482, Germany
fYear
2015
Firstpage
1
Lastpage
8
Abstract
When looking at media reports nowadays, major security breaches of big companies and governments seem to be a normal situation. An important step for the investigation or even prevention of these breaches is to normalize and analyze security-related log events from various systems in the target network. However, the number of log events produced in big IT landscapes can grow up to multiple billions per day. Current log management solutions, e.g., Security Information and Event Management (SIEM), cannot even closely normalize such huge amounts of data and therefore disable the tracking of attacks in real-time, which means that the log data remains unusable for attack analysis. In this paper, we present an approach to fully normalize event logs in high-speed by making use of established high-performance inter-thread messaging in conjunction with a hierarchical knowledge-base of log formats and parallel processing on multiple low-end systems. Using our approach, we are able to process more than 250,000 events/sec on relatively low-profile machines and can therefore easily handle more than 20 billion events/day, which is enough to handle average and peek loads of log events from big enterprise networks.
Keywords
"Instruction sets","Security","Receivers","Concrete","Companies","Parallel processing","Knowledge based systems"
Publisher
ieee
Conference_Titel
Computing and Communications Conference (IPCCC), 2015 IEEE 34th International Performance
Electronic_ISBN
2374-9628
Type
conf
DOI
10.1109/PCCC.2015.7410270
Filename
7410270
Link To Document