Dimensional data model for early alerts of malicious activities in a CSIRT

Abstract

The growth and evolution of threats, vulnerabilities and cyber-attacks increase security incidents and generate negative impacts on organizations. We present an online analytical processing (OLAP) system for early alerts of upcoming malicious activities. This study aims to systematize the support of cybersecurity granted by a Computer Security Incident Response Team (CSIRT) and shall help to establish a mechanism to analyze and improve the overall level of security of networks and equipment by providing early warning services. In order to accomplish this task, a Business Intelligence solution has been developed adapting the methodology of Ralph Kimball to support the analysis of computer security incidents. This generates a data warehouse of information collected from alerts and events recorded from a continuous transmission of data from various Internet security sources that gather, trace and report malware, botnet, and electronic fraud. Furthermore, we constructed with Pentaho BI load data into the dimensions, measures and facts, OLAP cubes, reports and dashboards. The acquired results demonstrate the functionality of the application where it is possible to visualize with certainty of both, the early warnings, as well as the level of security of the participant Institutions, about the registered threats and vulnerabilities.