Article

Pushing the Limits in Event Normalisation to Improve Attack Detection in IDS/SIEM Systems

Authors:

Amir Azodi,

David Jaeger,

Feng Cheng,

Christoph MeinelAuthors Info & Claims

CBD '13: Proceedings of the 2013 International Conference on Advanced Cloud and Big Data

Pages 69 - 76

https://doi.org/10.1109/CBD.2013.27

Published: 13 December 2013 Publication History

Abstract

The current state of affairs regarding the way events are logged by IT systems is the source of many problems for the developers of Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) systems. These problems stand in the way of the development of more accurate security solutions that draw their results from the data included within the logs they process. This is mainly caused by a lack of standards that can encapsulate all events in a coherent way. As a result, correlating between logs produced by different systems that use different log formats has been difficult and infeasible in many cases. In order to solve the challenges faced by Correlation Based Intrusion Detection Systems, we provide a platform for normalising events1 into a unified super event loosely based on the Common Event Expression standard (CEE) developed by the Mitre corporation. We show how our solution is able to normalise seemingly unrelated events into a unified format. Additionally, we demonstrate queries that can detect attacks on collections of normalised logs from different sources.

Cited By

View all

Ban TSamuel NTakahashi TInoue D(2021)Combat Security Alert Fatigue with AI-Assisted TechniquesProceedings of the 14th Cyber Security Experimentation and Test Workshop10.1145/3474718.3474723(9-16)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.1145/3474718.3474723
Coppolino LD'Antonio SFormicola VRomano L(2018)A framework for mastering heterogeneity in multi-layer security information and event correlationJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2015.11.01062:C(78-88)Online publication date: 30-Dec-2018
https://dl.acm.org/doi/10.1016/j.sysarc.2015.11.010
Azodi ACheng FMeinel C(2017)Event Driven Network Topology Discovery and Inventory Listing Using REAMSWireless Personal Communications: An International Journal10.1007/s11277-015-3061-394:3(415-430)Online publication date: 1-Jun-2017
https://dl.acm.org/doi/10.1007/s11277-015-3061-3
Show More Cited By

Recommendations

An Experience Developing an IDS Stimulator for the Black-Box Testing of Network Intrusion Detection Systems
ACSAC '03: Proceedings of the 19th Annual Computer Security Applications Conference

Signature-based intrusion detection systems use a set ofattack descriptions to analyze event streams, looking forevidence of malicious behavior. If the signatures are expressedin a well-defined language, it is possible to analyzethe attack signatures ...
Real-world polymorphic attack detection using network-level emulation
CSIIRW '08: Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead

As state-of-the-art attack detection technology becomes more prevalent, attackers have started to employ techniques such as code obfuscation and polymorphism to defeat these defenses. We have recently proposed network-level emulation, a heuristic ...
DTB-IDS: an intrusion detection system based on decision tree using behavior analysis for preventing APT attacks

Due to rapid growth of communications and networks, a cyber-attack with malicious codes has been coming as a new paradigm in information security area since last few years. In particular, an advanced persistent threats (APT) attack is bringing out big ...

Comments

Information & Contributors

Information

Published In

CBD '13: Proceedings of the 2013 International Conference on Advanced Cloud and Big Data

December 2013

206 pages

ISBN:9781479932610

Publisher

IEEE Computer Society

United States

Publication History

Published: 13 December 2013

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Ban TSamuel NTakahashi TInoue D(2021)Combat Security Alert Fatigue with AI-Assisted TechniquesProceedings of the 14th Cyber Security Experimentation and Test Workshop10.1145/3474718.3474723(9-16)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.1145/3474718.3474723
Coppolino LD'Antonio SFormicola VRomano L(2018)A framework for mastering heterogeneity in multi-layer security information and event correlationJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2015.11.01062:C(78-88)Online publication date: 30-Dec-2018
https://dl.acm.org/doi/10.1016/j.sysarc.2015.11.010
Azodi ACheng FMeinel C(2017)Event Driven Network Topology Discovery and Inventory Listing Using REAMSWireless Personal Communications: An International Journal10.1007/s11277-015-3061-394:3(415-430)Online publication date: 1-Jun-2017
https://dl.acm.org/doi/10.1007/s11277-015-3061-3
Azodi AGawron MSapegin ACheng FMeinel C(2015)Leveraging Event Structure for Adaptive Machine Learning on Big Data LandscapesSelected Papers of the First International Conference on Mobile, Secure, and Programmable Networking - Volume 939510.1007/978-3-319-25744-0_3(28-40)Online publication date: 15-Jun-2015
https://dl.acm.org/doi/10.1007/978-3-319-25744-0_3
Jaeger DAzodi ACheng FMeinel C(undefined)Normalizing Security Events with a Hierarchical Knowledge BaseInformation Security Theory and Practice10.1007/978-3-319-24018-3_15(237-248)
https://dl.acm.org/doi/10.1007/978-3-319-24018-3_15

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

Cited By

Recommendations

An Experience Developing an IDS Stimulator for the Black-Box Testing of Network Intrusion Detection Systems

Real-world polymorphic attack detection using network-level emulation

DTB-IDS: an intrusion detection system based on decision tree using behavior analysis for preventing APT attacks

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations