Common Framework for Attack Modeling and Security Evaluation in SIEM Systems

The paper suggests a framework for attack modeling and security evaluation in Security Information and Event Management (SIEM) systems. It is supposed that the common approach to attack modeling and security evaluation is based on modeling of a malefactor´s behavior, generating a common attack graph, calculating different security metrics and providing risk analysis procedures. Key elements of suggested architectural solutions for attack modeling and security evaluation are using a comprehensive security repository, effective attack graph (tree) generation techniques, taking into account known and new attacks based on zero-day vulnerabilities, stochastic analytical modeling, and interactive decision support to choose preferred security solutions. The architecture of the Attack Modeling and Security Evaluation Component (AMSEC) is proposed, its interaction with other SIEM components is described. We present the prototype of the component and the results of experiments carried out.