350 rub
Journal Highly available systems №2 for 2012 г.
Article in number:
Applying ontologiES and logical inference for security information and event menegement
Authors:
I.V. Kotenko, O.V. Polubelova, I.V. Saenko, A.A. Chechulin
Abstract:
Technology of security information and events management (SIEM) is one of the most important lines of research in the field of information security of computer infrastructures. It can make effective safety decisions based on event correlation, data mining, logical inference and data visualization. A key element of this technology is the representation of security events and their processing in the repository of SIEM systems.
The paper proposes a series of innovations relating to implementation of the repository in SIEM-systems of new generation used in service infrastructures. These innovations are devoted to the application of the ontological approach to create repository data model and a hybrid approach to its implementation that combines opportunities for joint use of relational databases, XML databases and repositories of triplets.
For the analysis of known solutions to build SIEM repository, we considered such systems as AlienVault OSSIM, AccelOps, QRadar, Prelude, ArcSight, IBM Tivoli and Novel Sentinel. The analysis revealed that, firstly, to store events in existing SIEM systems the separate data stores are used. Secondly, all considered data warehouse for data management typically use SQL. Finally, in some systems, attempts have been made to the ontological approach.
It is shown that the challenge of creating the data model of the SIEM system is due to a number of causes. First, the data stored in the repository are compiled from various sources in a variety of formats. Secondly, these data are used in various components of processing, modelling and decision support in SIEM-system. In addition, there is a need for high-speed data processing. The data model should be developed taking into account the support for maximum efficiency of the query and does not contain any links. Finally, in relation to the broad area of SIEM systems the data model should be flexible and extensible.
Ontological approach seems preferable to meet these challenges. Analyzing its features we have considered widely used standards for reporting security, such as SCAP, Common Base Event and Common Information Model. On the basis of these standards the relational data model are usually developed and the relational database systems are used as the storage. However, the data model for SIEM systems get overloaded, because of the lack of flexibility and expressiveness of the SQL query language. The second problem is the need to update the schema data in accordance with the requirements of actively changing the subject area for large data volumes.
The essence of the ontological approach is a set of application domain concepts and the relationships between them. Mathematics, underlying ontological approach, allows to build a more precise queries.
To create the data models and the repository, we developed the ontology for describing vulnerabilities used by Attack Modeling and Security Evaluation Component (AMSEC). We are planning to extend this model to represent countermeasures, risk assessment, malefactors and other concepts based on SCAP.
To store and manipulate the data, we suggest building the repository on the principles of service-oriented architecture (SOA). We use as the store the DBMS Virtuoso of OpenLink Software company. It supports the functionality of both the relational DBMS and triplet storage.
The general architecture of the repository based on SOA is proposed. It has layers of data storage, data representation and services. In addition to these layers it provides a data access layer. To test the proposed decisions on internal representation and data repository architecture, we use the AMSEC component of SIEM system. The test results showed that the ontological approach allows to download and sample data more accurately, requires less computational costs and, thus, significantly improves the performance of the repository.
Further research is associated with elaborating the proposed ontology of vulnerabilities and with adding such services as modeling and security analysis and verification of security policies. Finally, we are planning to investigate the logical inference based on ontological repository and to develop the data visualization mechanisms.
Pages: 100-108
References
- Miller D., Harris S., Harper A., VanDyke S., Blask C. Security information and event management (SIEM) implementation. McGraw-Hill Companies. 2011.
- Котенко И.В., Саенко И.Б., Полубелова О.В., Чечулин А.А. Применение технологии управления информацией и событиями безопасности для защиты информации в критически важных инфраструктурах // Труды СПИИРАН. Вып.1 (20). СПб.: Наука. 2012.
- Котенко И.В., Саенко И.Б., Полубелова О.В., Чечулин А.А. Технологии управления информацией и событиями безопасности для защиты компьютерных сетей // Проблемы информационной безопасности. Компьютерные системы. 2012. №2.
- Kotenko I., Stepashkin M. Attack Graph based Evaluation of Network Security // Lecture Notes in Computer Science. V. 4237. 2006. P.216-227.
- AlienVault User-s Manual. 2011.
- 10 Reasons for Migrating from Cisco MARS to AccelOps. http://www.accelops.net/product/marsbeyond.php
- Prelude as a Hybrid IDS Framework. SANS Institute InfoSec Reading Room, 2009.
- Shenk J. ArcSight Logger Review. A SANS Whitepaper. January 2009. http://www.arcsight.com/collateral/whitepapers/ArcSight_Combat_Cyber_Crime_ with_Logger.pdf.
- Buecker A., Amado J., Druker D., Lorenz C., Muehlenbrock F., Tan R. IT Security Compliance Management Design Guide with IBM Tivoli Security Information and Event Manager. IBM Redbooks. 2010.
- Novell Sentinel Log Manager 1.0.0.5. Installation Guide. March 31, 2010.
- SCAP. http://scap.nist.gov.
- Ogle D., Kreger H., Salahshour A., Cornpropst J., Labadie E., Chessell M., Horn B., Gerken J., Schoech J., Wamboldt M. Canonical Situation Data Format: The Common Base Event V1.0.1 // International Business Machines Corporation. 2004.
- Common Information Model (CIM) Standards, DMTF. http://dmtf.org/standards/cim
- NIST. http://www.nist.gov/index.html.
- Guo M., Wang J.A. An Ontology-based Approach to Model Common Vulnerabilities and Exposures in Information Security // Proceedings of the 2009 ASEE SE Section Conference. 2009.
- ParmeleeM.C. Toward an Ontology Architecture for Cyber-Security Standards // Proceedings of the 2010 Semantic technology for intelligence, defense, and security conference. 2010.
- Elahi G., Yu E., Zannone N. A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations // Proceedings of the 28th International Conference on Conceptual Modeling. 2009.
- Heimbigner D. DMTF CIM to OWL: A Case Study in Ontology Conversion // Ontology in Action Workshop in conjunction with the Conference on Software Engineering and Knowledge Engineering (SEKE'04) ? Banff, Alberta Canada. 2004.
- López de Vergara J.E., Villagrá V.A., Berrocal J. Applying the Web Ontology Language to management information definitions // IEEE Communications Magazine. 2004. P. 68-74.