nach oben

Erschienen in:

2020 | OriginalPaper | Buchkapitel

Data Analytics for Security Management of Complex Heterogeneous Systems: Event Correlation and Security Assessment Tasks

verfasst von : Igor Kotenko, Andrey Fedorchenko, Elena Doynikova

Erschienen in: Advances in Cyber Security Analytics and Decision Systems

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

This chapter considers the methods and techniques for security management of complex heterogeneous systems with an emphasis on event correlation and security assessment. The approach suggested in the chapter is based on the integrated analysis of big heterogeneous security data for event correlation, including syntactic and semantic analysis of security events and information. The key feature of the approach is the definition of various relationships between event properties within an automated adaptive correlation process. Correlation of heterogeneous security data allows detecting security incidents, as well as the chains of security events that led to these incidents. The results of event correlation are used in various tasks of security assessment. The approach to the security assessment is based on the Bayesian attack graphs, open security data representation standards, and vulnerability indexes from the Common Vulnerability Scoring System. The results of correlation are used on the stage of system assets criticality assessment for assets inventory and on the stage of security assessment to calculate probability of ongoing attack success considering incident statistics. A technique for vulnerability assessment based on the data mining is also described. The advantages and disadvantages of the suggested approaches, methods and techniques are outlined. The purpose of this chapter is to form a methodological basis for data analysis in security management, as well as to demonstrate its practical application, using the data set of event logs from the Windows operating system and from the SCADA power management system.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Efficient Reconfigurable Integrated Cryptosystems for Cybersecurity Protection

Nächstes Kapitel Cybersecurity Technologies for the Internet of Medical Wearable Devices (IoMWD)

Agarwal, M. K., Gupta, M., Kar, G., Neogi, A., & Sailer, A. (2004). Mining activity data for dynamic dependency discovery in e-business systems. IEEE Transactions on Network and Service Management, 1, 49–58. https://doi.org/10.1109/TNSM.2004.4798290.CrossRef

Ahmed, M. S., Al-Shaer, E., & Khan, L. (2008). A novel quantitative approach for measuring network security. In: INFOCOM proceedings, Phoenix, AZ, USA, April 2008. IEEE, pp. 1957–1965.

ArcSight Enterprise Security Manager (ESM). Security Information and Event Management (SIEM). In: Microfocus Off. website. https://www.microfocus.com/en-us/products/siem-security-information-event-management/overview. Accessed 27 Mar 2019.

Balepin, I., Maltsev, S., Rowe, J., & Levitt, K. (2003). Using specification-based intrusion detection for automated response. In Proceedings of the sixth international symposium on recent advances in intrusion detection (RAID), Pittsburgh, PA, USA, September 2003. Lecture notes in computer science (LNCS) (Vol. 2820, pp. 136–154). Berlin, Heidelberg: Springer-Verlag.

Beliakov, G., Yearwood, J., & Kelarev, A. (2012). Application of rank correlation, clustering and classification in information security. Journal of Networks, 7, 935–945.CrossRef

Brown, A., Kar, G., & Keller, A. (2001). An active approach to characterizing dynamic dependencies for problem determination in a distributed environment. In: 2001 7th IEEE/IFIP international symposium on integrated network management proceedings: Integrated management strategies for the new millennium, Seattle, WA, USA, May 2001.

Bursztein, E., & Mitchell, J. C. (2010). Using strategy objectives for network security analysis. Lecture Notes in Computer Science, 6151, 337–349.MathSciNetCrossRef

Caralli, R. A., Stevens, J. F., Young, L. R., & Wilson, W. R. (2007). Introducing OCTAVE allegro: Improving the information security risk assessment process (Technical report). Software Engineering Institute.

Common Attack Pattern Enumeration and Classification. https://capec.mitre.org/. Accessed 27 Mar 2019.

Common Configuration Enumeration (CCE). In: Off. website. https://nvd.nist.gov/cce/index.cfm. Accessed 30 Mar 2019.

Common Weakness Enumeration. https://cwe.mitre.org/index.html. Accessed 27 Mar 2019.

Dantu, R., Kolan, P., & Cangussu, J. (2009). Network risk management using attacker profiling. Security and Communication Networks, 2, 83–96. https://doi.org/10.1002/sec.58.CrossRef

Davis, M., Korkmaz, E., Dolgikh, A., & Skormin, V. (2017). Resident security system for government/industry owned computers. Lecture Notes in Computer Science, 10446, 185–194.CrossRef

Doynikova, E., & Kotenko, I. (2017). CVSS-based probabilistic risk assessment for cyber situational awareness and countermeasure selection. In: Proceedings of the 25th Euromicro international conference on parallel, distributed and network-based processing, St. Petersburg, Russia, March 2017.

Elshoush, H. T., & Osman, I. M. (2011). Alert correlation in collaborative intelligent intrusion detection systems – A survey. Applied Soft Computing, 11, 4349–4365.CrossRef

EMS. (2017a). Energy management system (EMS) events log. In: Industrial Control System Cyber Attack Datasets, dataset No.5. https://sites.google.com/a/uah.edu/tommy-morris-uah/ics-data-sets. Accessed 31 Mar 2019.

EMS. (2017b). Description of the energy management system (EMS) events log. In: Industrial Control System Cyber Attack Datasets, dataset No.5. https://drive.google.com/file/d/0B8m%2D%2DHm7dOEqRFNOd1hvelZ3ZFE/view. Accessed 31 Mar 2019.

Ensel, C. (2001). A scalable approach to automated service dependency modeling in heterogeneous environments. In: Proceedings of the 5th IEEE international enterprise distributed object computing conference, Seattle, WA, USA, September 2001.

Exploit Database. https://www.exploit-db.com/. Accessed 27 Mar 2019.

Fedorchenko, A., Kotenko, I., & El Baz, D. (2017). Correlation of security events based on the analysis of structures of event types. In: Proceedings of the 9th IEEE international conference on intelligent data acquisition and advanced computing systems: Technology and applications (IDAACS’2017). IEEE, Bucharest, Romania, pp. 270–276.

Frigault, M., Wang, L., Singhal, A., & Jajodia, S. (2008). Measuring network security using dynamic bayesian network. In: Proceedings of the 4th ACM Work Qual Prot. https://doi.org/10.1145/1456362.1456368.

Ghorbani, A. A., Lu, W., & Tavallaee, M. (2010). Network intrusion detection and prevention concepts and techniques. New York: Springer.CrossRef

Goodman, L. A., & Kruskal, W. H. (1954). Measures of association for cross classifications. Journal of the American Statistical Association, 49, 732–764. https://doi.org/10.2307/2281536.CrossRefMATH

Gurer, D. W., Khan, I., Ogier, R., & Keffer, R. (1996). An artificial intelligence approach to network fault management. Computers and Biomedical Research, 47, 18–27. https://doi.org/10.3138/carto.47.1.18.CrossRef

Hanemann, A. (2007). Automated IT service fault diagnosis based on event correlation techniques. Dissertation, LMU of Munich.

Hanemann, A., & Marcu, P. (2008). Algorithm design and application of service-oriented event correlation. In: 3rd IEEE/IFIP international workshop on business-driven IT management, Salvador, Brazil, April 2008.

Hasan, M. (1991). A conceptual framework for network management event correlation and filtering systems. In: Proceedings of the 6th IFIP/IEEE international symposium on integrated in network management, pp. 233–246.

Hazewinkel, M. (2001). Correlation (in statistics). In Encyclopedia of mathematics (p. 5402). Cham: Springer Science+Business Media B.V.

Heron, J. How to develop an Asset Inventory for ISO 27001 – A pragmatic approach. In: isms.online. https://www.isms.online/iso-27001/how-to-develop-an-asset-inventory-for-iso-27001. Accessed 15 June 2019.

Hoo, K. J. S. (2000). How much is enough? A risk-management approach to computer security. Dissertation, Stanford University.

ICASI. Common vulnerability reporting framework (CVRF). In: Off. Website. http://www.icasi.org/cvrf. Accessed 30 Mar 2019.

IntelSecurity SIEM. In: Websecure Off. website. https://www.websecure.com.au/intel-security/security-information-event-management. Accessed 27 Mar 2019.

ISO/IEC 19770-1:2017(en). (2017). Information technology – IT asset management – Part 1: IT asset management systems – Requirements.

ISO/IEC 27001:2013. (2013). Information technology – Security techniques – Information security management systems – Requirements.

ISO/IEC 27005:2008. (2008). Information technology – Security techniques – Information security risk management.

Jahnke, M., Thul, C., & Martini, P. (2007). Graph based metrics for intrusion response measures in computer networks. In: Proceedings of the conference on local computer networks, Dublin, Ireland, October 2007.

Jiang, G., & Cybenko, G. (2004). Temporal and spatial distributed event correlation for network security. In: Proceedings of the American Control Conference. IEEE Xplore, pp. 996–1001.

Joshi, C., & Singh, U. K. (2018). An enhanced framework for identification and risks assessment of zero-day vulnerabilities. International Journal of Applied Engineering Research, 13, 10861–10870.

Kheir, N., Cuppens-Boulahia, N., Cuppens, F., & Al, E. (2010). A service dependency model for cost-sensitive intrusion response. In: 15th European conference on research in computer security, pp. 626–642.

Kotenko, I., & Doynikova, E. (2014). Security assessment of computer networks based on attack graphs and security events. Lecture Notes in Computer Science, 8407, 462–471.CrossRef

Kotenko, I., & Doynikova, E. (2018). Selection of countermeasures against network attacks based on dynamical calculation of security metrics. Journal of Defense Modeling & Simulation, 15, 181. https://doi.org/10.1177/1548512917690278.CrossRef

Kou, G., Lu, Y., Peng, Y., & Shi, Y. (2012). Evaluation of classification algorithms using MCDM and rank correlation. International Journal of Information Technology & Decision Making, 11, 197–225.CrossRef

Kruegel, C., Valeur, F., & Vigna, G. (2005). Intrusion detection and correlation. Challanges and solutions (Vol. 14). New York: Springer US.MATH

Limmer, T., & Dressler, F. (2019). Survey of event correlation techniques for attack detection in early warning systems (Technical report 01/08). University of Erlangen, Germany.

Lippmann, R., Ingols, K., Scott, C., Piwowarski, K., Kratkiewicz, K., Artz, M., & Cunningham, R. (2007). Validating and restoring defense in depth using attack graphs. In: Proceedings of the IEEE military communications conference, Washington, DC, USA, October 2006.

Lockstep Consulting. (2004). A guide for government agencies calculating return on security investment. Version 2.0. Sydney: New South Wales Department of Commerce Government Chief Information Office.

LogRhythm SIEM. In: Logrhythm Off. website. https://logrhythm.com/. Accessed 27 Mar 2019.

Manadhata, P. K., Kaynar, D. K., & Wing, J. M. (2007). A formal model for a system’s attack surface (Technical report CMU-CS-07-144). Carnegie Mellon University, Pittsburgh.

MAnagement of Security information and events in Service InFrastructures (MASSIF). In: Res. Proj. Eur. Community Seventh Framew. Progr. (FP7). Contract No. 257475. https://cordis.europa.eu/project/rcn/95310/factsheet/en. Accessed 27 Mar 2019.

Mell, P., Scarfone, K., & Romanosky, S. (2007). A complete guide to the Common Vulnerability Scoring System Version 2.0. FIRST Forum Incid Response Secur Teams, NIST.

Motahari-Nezhad, H. R., Saint-Paul, R., Casati, F., & Benatallah, B. (2011). Event correlation for process discovery from web service interaction logs. VLDB Journal, 20, 417–444. https://doi.org/10.1007/s00778-010-0203-9.CrossRef

Müller, A. (2009). Event correlation engine. Master’s thesis, ETH.

NMap. NMap reference guide. http://nmap.org/book/man.html. Accessed 27 Mar 2019.

Noel, S., Jajodia, S., O’Berry, B., & Al, E. (2003). Efficient minimum-cost network hardening via exploit dependency graphs. In: Proceedings of the 19th annual computer security applications conference, 2003, pp. 86–95.

NVD. (2019a). National vulnerability database. https://nvd.nist.gov/. Accessed 27 Mar 2019.

NVD. (2019b). Common Platform Enumeration (CPE) official website. In: NIST website. https://nvd.nist.gov/products/cpe. Accessed 27 Mar 2019.

Peltier, T. R. (2010). Information security risk analysis (3rd ed.). Boca Raton: CRC Press.CrossRef

Poolsappasit, N., Dewri, R., & Ray, I. (2012). Dynamic security risk management using Bayesian attack graphs. IEEE Transactions on Dependable and Secure Computing, 9, 61. https://doi.org/10.1109/TDSC.2011.34.CrossRef

QRadar SIEM. In: IBM Off. website. https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_qradar_oview.html. Accessed 27 Mar 2019.

Radack, S., & Kuhn, R. (2011). Managing security: The security content automation protocol. IT Professional, 13, 9–11. https://doi.org/10.1109/MITP.2011.11.CrossRef

Sadoddin, R., & Ghorbani, A. (2006). Alert correlation survey: Framework and techniques. In: Proceedings of the international conference on privacy, security and trust: Bridge the gap between PST Technologies and Business Services.

Splunk Enterprise Security. In: Splunk Off. website. https://www.splunk.com/en_us/software/enterprise-security.html. Accessed 27 Mar 2019.

SPSS Tutorials: Pearson Correlation. In: Kent State University Libraries. https://libguides.library.kent.edu/SPSS/PearsonCorr. Accessed 28 Mar 2019.

Tenable. Nessus vulnerability scanner. http://www.tenable.com/products/nessus-vulnerability-scanner. Accessed 2 Jul 2018.

Tiffany, M. (2002). A survey of event correlation techniques and related topics. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.19.5339. Accessed 30 Oct 2019.

Toth, T., & Kruegel, C. (2002). Evaluating the impact of automated intrusion response mechanisms. In: Proceedings of the IEEE annual computer security applications conference, Las Vegas, NV, USA, December 2002.

Tuchs, K. D., & Jobmann, K. (2001). Intelligent search for correlated alarm events in databases. In: Proceedings of the 2001 7th IEEE/IFIP international symposium on integrated network management, Seattle, WA, USA, May 2001. Integrated Management Strategies for the New Millennium, IEEE.

Wang, L., Jajjodia, S., Singhal, A., & Al, E. (2014). K-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities. IEEE Transactions on Dependable and Secure Computing, 11, 30–44. https://doi.org/10.1109/TDSC.2013.24.CrossRef

Wayne, W. D. (1990a). Spearman rank correlation coefficient. In Applied nonparametric statistics (2nd ed., pp. 358–365). Boston: PWS-Kent.

Wayne, W. D. (1990b). Kendall’s tau. In Applied nonparametric statistics (2nd ed., pp. 365–377). Boston: PWS-Kent.

Wei, W., Chen, F., Xia, Y., & Jin, G. (2013). A rank correlation based detection against distributed reflection DoS attacks. IEEE Communications Letters, 17, 173–175.CrossRef

Wireshark. Wireshark vulnerability scanner. https://www.wireshark.org. Accessed 27 Mar 2019.

Wu, Y. S., Foo, B., Mao, Y. C., Bagchi, S., & Spafford, E. H. (2007). Automated adaptive intrusion containment in systems of interacting services. Computer Networks, 51, 1334–1360. https://doi.org/10.1016/j.comnet.2006.09.006.CrossRefMATH

Xu, D., & Ning, P. (2008). Correlation analysis of intrusion alerts. Advanced Information Security, 38, 65–92. https://doi.org/10.1007/978-0-387-77265-3_4.CrossRef

Zurutuza, U., & Uribeetxeberria, R. (2004). Intrusion detection alarm correlation: A survey. In: Proceedings of the IADAT international conference on telecommunications and computer networks, pp. 1–3.

Titel: Data Analytics for Security Management of Complex Heterogeneous Systems: Event Correlation and Security Assessment Tasks
verfasst von: Igor Kotenko
Andrey Fedorchenko
Elena Doynikova
Verlag: Springer International Publishing
Buch: Advances in Cyber Security Analytics and Decision Systems
Print ISBN: 978-3-030-19352-2

Electronic ISBN: 978-3-030-19353-9

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-19353-9_5

Neuer Inhalt

Bildnachweise

VDI-Icon, Profil Icon, inhalt2, Springer Professional Modul/© Springer Fachmedien Wiesbaden GmbH, Nachhaltigkeitsaward Key Visual/© Cometis AG/Global ESG Monitor | Daniel Rupp | Generiert mit KI, Search Icon, Banner Hanser, Jonas Klose/© Pine Valley Capital GmbH, Carina Kießling von der Strategieberatung Roland Berger/© Monika Walther Fotografie | ATZ, Beijing Auto Show 2024: Deutsche Hersteller wollen angreifen./© EKH-Pictures / Generated with AI / Stock.adobe.com, Zeitschrift Wissensmanagement Cover, PatentFit-Logo/© Springer Fachmedien Wiesbaden GmbH, Zukunftswerkstatt Sales Excellence 2024/© AndreyPopov / Getty Images / iStock, 2023_Antrieb/© supervisuell, ATZ-Webinar: Prototypenfreie Entwicklung durch Offline- und Driver-in-the-Loop-HiL-Tests /© (c) VI-grade

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Neuer Inhalt

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.