• DocumentCode
    685905
  • Title

    Pushing the Limits in Event Normalisation to Improve Attack Detection in IDS/SIEM Systems

  • Author

    Azodi, Amir ; Jaeger, David ; Feng Cheng ; Meinel, Christoph

  • Author_Institution
    Hasso Plattner Inst. (HPI), Univ. of Potsdam, Potsdam, Germany
  • fYear
    2013
  • fDate
    13-15 Dec. 2013
  • Firstpage
    69
  • Lastpage
    76
  • Abstract
    The current state of affairs regarding the way events are logged by IT systems is the source of many problems for the developers of Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) systems. These problems stand in the way of the development of more accurate security solutions that draw their results from the data included within the logs they process. This is mainly caused by a lack of standards that can encapsulate all events in a coherent way. As a result, correlating between logs produced by different systems that use different log formats has been difficult and infeasible in many cases. In order to solve the challenges faced by Correlation Based Intrusion Detection Systems, we provide a platform for normalising events1 into a unified super event loosely based on the Common Event Expression standard (CEE) developed by the Mitre corporation. We show how our solution is able to normalise seemingly unrelated events into a unified format. Additionally, we demonstrate queries that can detect attacks on collections of normalised logs from different sources.
  • Keywords
    security of data; CEE; IDS-SIEM systems; IT systems; attack detection; common event expression standard; correlation based intrusion detection systems; event normalisation; log formats; query; security information and event management systems; Data mining; Databases; Intrusion detection; Servers; Software; Standards; Event Management; Event Normalisation; Intrusion Detection; Knowledge base;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Advanced Cloud and Big Data (CBD), 2013 International Conference on
  • Conference_Location
    Nanjing
  • Print_ISBN
    978-1-4799-3260-3
  • Type

    conf

  • DOI
    10.1109/CBD.2013.27
  • Filename
    6824575