Pushing the Limits in Event Normalisation to Improve Attack Detection in IDS/SIEM Systems

  title={Pushing the Limits in Event Normalisation to Improve Attack Detection in IDS/SIEM Systems},
  author={Amir Azodi and David Jaeger and Feng Cheng and Christoph Meinel},
  journal={2013 International Conference on Advanced Cloud and Big Data},
  • A. Azodi, David Jaeger, +1 author C. Meinel
  • Published 13 December 2013
  • Computer Science
  • 2013 International Conference on Advanced Cloud and Big Data
The current state of affairs regarding the way events are logged by IT systems is the source of many problems for the developers of Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) systems. These problems stand in the way of the development of more accurate security solutions that draw their results from the data included within the logs they process. This is mainly caused by a lack of standards that can encapsulate all events in a coherent way. As a result… 
A framework for mastering heterogeneity in multi-layer security information and event correlation
A flexible framework for event collection and correlation is proposed, namely the Generic Event Translator, which is able to process heterogeneous data and spot evidence of security issues by using complex event pattern detectors that correlate information from multiple architectural layers and domains of the monitored infrastructure.
Parallel and distributed normalization of security events for instant attack analysis
This paper presents an approach to fully normalize event logs in high-speed by making use of established high-performance inter-thread messaging in conjunction with a hierarchical knowledge-base of log formats and parallel processing on multiple low-end systems.
Multi-step Attack Pattern Detection on Normalized Event Logs
An existing multi-step signature language is extended to support attack detection on normalized log events, which were collected from various applications and devices, and can create generic signatures that stay up-to-date.
Normalizing Security Events with a Hierarchical Knowledge Base
This paper proposes and evaluates multiple approaches for handling the normalization of a large number of typical logs better and more efficient by using a hierarchical knowledge base KB of normalization rules and achieves a performance gain of about 1000x with these approaches.
Semantic Query Federation for Scalable Security Log Analysis
This proposal proposes a distributed approach that enables semantic querying of dispersed log sources in large-scale infrastructures and will leverage linked data technologies and state-of-the-art federated query processing systems to automatically integrate and reason about security log information.
Threat Alert Prioritization Using Isolation Forest and Stacked Auto Encoder With Day-Forward-Chaining Analysis
A new method for highlighting critical alerts with a minimal number of false negatives is presented, which takes the advantage of day-forward-chaining analysis and employs isolation forest to ensure unsupervised performance and adaptability to different types of networks.
Técnicas de detección de ataques en un sistema SIEM (Security Information and Event Management)
Technology advance has achieved an almost entirely globalized world. New inventions are achieved at a speed that has revolutionized people’s pace of life. Information has become a very helpful and of
Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest
This study proposes an alert screening scheme that can triage alerts on the basis of the potential of a vast threat and leverages the fully unsupervised nature of the adopted isolation forest method for reducing vast threat alerts.
Runtime Updatable and Dynamic Event Processing Using Embedded ECMAScript Engines
This paper presents a novel method of event processing using an embedded ECMAScript engine to effectively outsource the logic operations needed for deeper event processing.
Mobile agent-based SIEM for event collection and normalization externalization
A mobile agent-based security information and event management architecture that uses mobile agents for near real-time event collection and normalization on the source device and shows that MA-SIEM systems are more efficient than existing SIEM systems because they leave the SIEM resources primarily dedicated to advanced correlation analysis.


Normalising Events into Incidents Using Unified Intrusion Detection-Related Data
The identification of the steps an attacker performs towards the exploitation of host and network based vulnerabilities can be captured in detail, and an incident classification can be used, using information from logged events.
An alert correlation platform for memory‐supported techniques
This work proposes and implements a highly efficient alert correlation platform that can be distributed over multiple processing units to share memory and processing power and designed to provide a unified view of result reports for end users.
The Intrusion Detection Message Exchange Format (IDMEF)
A data model to represent information exported by intrusion detection systems and the rationale for using this model is explained and an implementation of the data model in the Extensible Markup Language (XML) is presented.
Common Event Expression
  • 2008
The views, opinions and/or findings contained in this report are those of The MITRE Corporation and should not be construed as an official Government position, policy, or decision, unless designated
Requirements for the Format for Incident Information Exchange (FINE)
This document describes the high-level functional requirements of an abstract format, the Format for Incident information Exchange (FINE), which will facilitate the exchange of incident information
C# Language Specification
This book provides an introduction to and technical specification of the four major new features of C# 2.0: Generics, Anonymous Methods, Iterators, and Partial Types.
The Incident Object Description Exchange Format
This document describes the information model for the IODEF and provides an associated data model specified with XML Schema.
The MITRE corporation
  • N. Johnson
  • Computer Science
    ACM National Meeting
  • 1961
One method of solving for the zeroes of a function f(x) &equil; O is obtained by rewriting the equation in the form x &Equil; g( x) from which the iteration x<subscrpt>i+l</subscRpt> &equils g(x), which may or may not converge to the true root &xmarc; depending on the initial approximation.
Scan of the Month 34
  • 2005.
  • 2005
Block Bad Queries http://perishablepress.com/ block-bad-queries
  • Block Bad Queries http://perishablepress.com/ block-bad-queries
  • 2012