An ontology-driven approach to model SIEM information and operations using the SWRL formalism

Granadillo, Gustavo Gonzalez; Mustapha, Yosra Ben; Hachem, Nabil; Debar, Hervé

doi:10.1504/ijesdf.2012.048412

Cited by 9 publications

(3 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In general we note that, while each model is targeted toward a specific purpose (the goal in [14] is to annotate web resources, while [13] attempts to expand the representation to general computer security, and [12] models a security information and event management (SIEM) system), most adopt a general structure similar to that shown in Figure 1.…”

Section: ) Demonstrate the Development Of Automated Idrsmentioning

confidence: 99%

S-MAIDS: A Semantic Model for Automated Tuning, Correlation, and Response Selection in Intrusion Detection Systems

Strasburg

Basu

Wong

2013

2013 IEEE 37th Annual Computer Software and Applications Conference

View full text Add to dashboard Cite

As cyber threats increasingly utilize automated and adaptive attacks to bypass or overwhelm static defenses, the role of intrusion detection and response systems (IDRS) as an active defense layer is becoming more critical. To remain effective against current attacks IDRS must be capable of automating detection of, and response to, threats in their specific environment. Different operating characteristics, detection capabilities, and response actions all contribute to make each environment unique, complicating this automation.In this work we consider IDRS automation in three areas: detector tuning, detector correlation, and response selection. We motivate and present a novel, more finelygrained model of threats, detectors, and responses called S-MAIDS : A Semantic Model of Automated Intrusion Detection Systems. Based on the concept of a "signal" (an observable indicator of an attack), we show the utility of combining such a model with an existing measure of IDRS performance to facilitate automated tuning, cross-system correlation, and response selection. We support our claims through several case-studies demonstrating the application of this model, and provide the model as an OWL ontology.

show abstract

Section: ) Demonstrate the Development Of Automated Idrsmentioning

confidence: 99%

S-MAIDS: A Semantic Model for Automated Tuning, Correlation, and Response Selection in Intrusion Detection Systems

Strasburg

Basu

Wong

2013

2013 IEEE 37th Annual Computer Software and Applications Conference

View full text Add to dashboard Cite

show abstract

“…Their deployment thus focuses, firstly, on writing ad hoc collectors and translators to acquire information and normalize it, and secondly, on writing correlation rules to aggregate the information and reduce the amount of data. This operational focus leads SIEM implementers to prioritize syntax over semantics, and to use correlation languages that are poor in terms of features [ 73 ]. However, as the number of attacks, and thus the diversity of alerts received by SIEMs increases, the need for appropriate treatment of these alerts has become essential.…”

Section: Limitations Of Current Siemsmentioning

confidence: 99%

Security Information and Event Management (SIEM): Analysis, Trends, and Usage in Critical Infrastructures

González-Granadillo

González-Zarzosa

Díaz

2021

Sensors

View full text Add to dashboard Cite

Security Information and Event Management (SIEM) systems have been widely deployed as a powerful tool to prevent, detect, and react against cyber-attacks. SIEM solutions have evolved to become comprehensive systems that provide a wide visibility to identify areas of high risks and proactively focus on mitigation strategies aiming at reducing costs and time for incident response. Currently, SIEM systems and related solutions are slowly converging with big data analytics tools. We survey the most widely used SIEMs regarding their critical functionality and provide an analysis of external factors affecting the SIEM landscape in mid and long-term. A list of potential enhancements for the next generation of SIEMs is provided as part of the review of existing solutions as well as an analysis on their benefits and usage in critical infrastructures.

show abstract

“…To allow time based correlation, e.g. to check if specific events such as a failed login occurred several times within the last ten minutes, the ontology is structured according to the approach of Granadillo et al [4] on the top level of the ontology. The approach suggests to separate the ontology into two parts, the (static) information and the (dynamic) operations as shown in Fig.…”

Section: Architecture Of the Systemmentioning

confidence: 99%

Intelligent monitoring with background knowledge

Detken

Edelkamp

Elfers³

et al. 2015

2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applicati

View full text Add to dashboard Cite

This paper describes the design and implementation of an intelligent monitoring system, that runs advanced inference mechanisms to correlate events from various sensors. Different to existing monitoring approaches, it exploits taxonomic background knowledge in form of ontological information to draw refined inferences. The monitoring system provides abstract knowledge exchange capabilities between different monitoring clients to support users during the setup and maintenance process. The system supports a variety of sensors and collectors, also including new sensors that can be mapped to the system conveniently.

show abstract

An ontology-driven approach to model SIEM information and operations using the SWRL formalism

Cited by 9 publications

References 7 publications

S-MAIDS: A Semantic Model for Automated Tuning, Correlation, and Response Selection in Intrusion Detection Systems

S-MAIDS: A Semantic Model for Automated Tuning, Correlation, and Response Selection in Intrusion Detection Systems

Security Information and Event Management (SIEM): Analysis, Trends, and Usage in Critical Infrastructures

Intelligent monitoring with background knowledge

Contact Info

Product

Resources

About