I.V. Kotenko, O.V. Polubelova, I.V. Saenko, A.A. Chechulin
Technology of security information and events management (SIEM) is one of the most important lines of research in the field of information security of computer infrastructures. It can make effective safety decisions based on event correlation, data mining, logical inference and data visualization. A key element of this technology is the representation of security events and their processing in the repository of SIEM systems.
The paper proposes a series of innovations relating to implementation of the repository in SIEM-systems of new generation used in service infrastructures. These innovations are devoted to the application of the ontological approach to create repository data model and a hybrid approach to its implementation that combines opportunities for joint use of relational databases, XML databases and repositories of triplets.
For the analysis of known solutions to build SIEM repository, we considered such systems as AlienVault OSSIM, AccelOps, QRadar, Prelude, ArcSight, IBM Tivoli and Novel Sentinel. The analysis revealed that, firstly, to store events in existing SIEM systems the separate data stores are used. Secondly, all considered data warehouse for data management typically use SQL. Finally, in some systems, attempts have been made to the ontological approach.
It is shown that the challenge of creating the data model of the SIEM system is due to a number of causes. First, the data stored in the repository are compiled from various sources in a variety of formats. Secondly, these data are used in various components of processing, modelling and decision support in SIEM-system. In addition, there is a need for high-speed data processing. The data model should be developed taking into account the support for maximum efficiency of the query and does not contain any links. Finally, in relation to the broad area of SIEM systems the data model should be flexible and extensible.
Ontological approach seems preferable to meet these challenges. Analyzing its features we have considered widely used standards for reporting security, such as SCAP, Common Base Event and Common Information Model. On the basis of these standards the relational data model are usually developed and the relational database systems are used as the storage. However, the data model for SIEM systems get overloaded, because of the lack of flexibility and expressiveness of the SQL query language. The second problem is the need to update the schema data in accordance with the requirements of actively changing the subject area for large data volumes.
The essence of the ontological approach is a set of application domain concepts and the relationships between them. Mathematics, underlying ontological approach, allows to build a more precise queries.
To create the data models and the repository, we developed the ontology for describing vulnerabilities used by Attack Modeling and Security Evaluation Component (AMSEC). We are planning to extend this model to represent countermeasures, risk assessment, malefactors and other concepts based on SCAP.
To store and manipulate the data, we suggest building the repository on the principles of service-oriented architecture (SOA). We use as the store the DBMS Virtuoso of OpenLink Software company. It supports the functionality of both the relational DBMS and triplet storage.
The general architecture of the repository based on SOA is proposed. It has layers of data storage, data representation and services. In addition to these layers it provides a data access layer. To test the proposed decisions on internal representation and data repository architecture, we use the AMSEC component of SIEM system. The test results showed that the ontological approach allows to download and sample data more accurately, requires less computational costs and, thus, significantly improves the performance of the repository.
Further research is associated with elaborating the proposed ontology of vulnerabilities and with adding such services as modeling and security analysis and verification of security policies. Finally, we are planning to investigate the logical inference based on ontological repository and to develop the data visualization mechanisms.