Security Event Correlation Supported by Multi-Core Architecture

A huge amount of information about real-time events are being generated in every second in a running IT-Infrastructure and recorded by the system logs, application logs, as well as the output from the deployed security or management methods, e.g., IDS alerts, firewall logs, scanning reports, etc. To rapidly gather, process, correlate, and analyze the massive event information is a challenging task. High performance security analytics is proposed to address this challenge by which the real-time event information can be normalized, centralized, and correlated to help identify the current running state of the target environment. As an example of next generation Security Information and Event Management (SIEM) platform, Security Analytics Lab (SAL) has been designed and implemented based on the newly emerged In-Memory data management technique, which makes it possible to efficiently organize, access, and process different types of event information through a consistent central storage and interface. In this paper, the multi-core architecture is introduced on the event correlation module of SAL platform by which the correlation tasks can be executed in parallel by different computing resources. The k-means algorithm is implemented as an example of possible event clustering and correlation algorithms. Several experiments are conducted and analyzed to show that the performance of analytics can be significantly improved by applying multi-core architecture in the event correlation procedure.