{"title":"IDS/SIEM系统多层直接存取知识库的新方法","authors":"Amir Azodi, David Jaeger, Feng Cheng, C. Meinel","doi":"10.1109/DASC.2013.48","DOIUrl":null,"url":null,"abstract":"Looking at current IDS and SIEM systems, we observe heavy processing power dedicated solely to answering a simple question, What is the format of the log line that the IDS (or SIEM) system should process next? Due to the apparent difficulties of uniquely identifying a log line at run-time, most systems today do little or no normalisation of the events they receive. Indeed these systems often rely on popular search engine applications for processing and analysing the event information they receive, which results in slower and far less accurate event correlations. In this process, a large list of tokenisers is usually created in order to find an answer to the above posted question. The tokenisers are run against the log lines, until a match is found. The appropriate log line can then be passed on to the correct extraction module for further processing. This process is currently the standard procedure of most IDS and SIEM systems. To address this problem and to optimise and improve the said process, this paper describes a method for detecting the exact type and format of a read log line in the first place. The method presented performs in an efficient manner, while it is less resource hungry. The proposed detection system is described and implemented, its pros and cons are analysed and weighed against methods currently implemented by popular IDS and SIEM systems for solving this task.","PeriodicalId":179557,"journal":{"name":"2013 IEEE 11th International Conference on Dependable, Autonomic and Secure Computing","volume":"321 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-12-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"26","resultStr":"{\"title\":\"A New Approach to Building a Multi-tier Direct Access Knowledgebase for IDS/SIEM Systems\",\"authors\":\"Amir Azodi, David Jaeger, Feng Cheng, C. Meinel\",\"doi\":\"10.1109/DASC.2013.48\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Looking at current IDS and SIEM systems, we observe heavy processing power dedicated solely to answering a simple question, What is the format of the log line that the IDS (or SIEM) system should process next? Due to the apparent difficulties of uniquely identifying a log line at run-time, most systems today do little or no normalisation of the events they receive. Indeed these systems often rely on popular search engine applications for processing and analysing the event information they receive, which results in slower and far less accurate event correlations. In this process, a large list of tokenisers is usually created in order to find an answer to the above posted question. The tokenisers are run against the log lines, until a match is found. The appropriate log line can then be passed on to the correct extraction module for further processing. This process is currently the standard procedure of most IDS and SIEM systems. To address this problem and to optimise and improve the said process, this paper describes a method for detecting the exact type and format of a read log line in the first place. The method presented performs in an efficient manner, while it is less resource hungry. The proposed detection system is described and implemented, its pros and cons are analysed and weighed against methods currently implemented by popular IDS and SIEM systems for solving this task.\",\"PeriodicalId\":179557,\"journal\":{\"name\":\"2013 IEEE 11th International Conference on Dependable, Autonomic and Secure Computing\",\"volume\":\"321 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-12-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"26\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2013 IEEE 11th International Conference on Dependable, Autonomic and Secure Computing\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/DASC.2013.48\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 IEEE 11th International Conference on Dependable, Autonomic and Secure Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DASC.2013.48","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A New Approach to Building a Multi-tier Direct Access Knowledgebase for IDS/SIEM Systems
Looking at current IDS and SIEM systems, we observe heavy processing power dedicated solely to answering a simple question, What is the format of the log line that the IDS (or SIEM) system should process next? Due to the apparent difficulties of uniquely identifying a log line at run-time, most systems today do little or no normalisation of the events they receive. Indeed these systems often rely on popular search engine applications for processing and analysing the event information they receive, which results in slower and far less accurate event correlations. In this process, a large list of tokenisers is usually created in order to find an answer to the above posted question. The tokenisers are run against the log lines, until a match is found. The appropriate log line can then be passed on to the correct extraction module for further processing. This process is currently the standard procedure of most IDS and SIEM systems. To address this problem and to optimise and improve the said process, this paper describes a method for detecting the exact type and format of a read log line in the first place. The method presented performs in an efficient manner, while it is less resource hungry. The proposed detection system is described and implemented, its pros and cons are analysed and weighed against methods currently implemented by popular IDS and SIEM systems for solving this task.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
