Top

Published in:

27-03-2017

A high-level domain-specific language for SIEM (design, development and formal verification)

Authors: Anam Nazir, Masoom Alam, Saif U. R. Malik, Adnan Akhunzada, Muhammad Nadeem Cheema, Muhammad Khurram Khan, Yang Ziang, Tanveer Khan, Abid Khan

Published in: Cluster Computing | Issue 3/2017

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Organizations deploy security information and event management (SIEM) systems for centralized management of security events. The real-time security monitoring capability of the SIEM depends on the correlation process where events data are matched against the security rules. Most SIEM systems use general purpose languages to define security rules. Creating new rules in general purpose languages require excellent programming skills in the proprietary language and intimate knowledge of events. This paper introduces a high-level domain-specific language (HDSL) which simplifies rule creation for the SIEM system. We formally specify the HDSL with extended Backus–Naur form grammar in another tool for language recognition according to the model driven engineering approach. In our implementation framework, the rules defined in the HDSL are converted in the standard event processing language. For evaluation purpose, the converted security rules are tested on the service real-time data security analytics. The results indicate that the rules are converted accurately and generate alarms when specific attacks are detected. For checking correctness of the HDSL, formal verification is carried out using satisfiability modulo theory and Z3 solver. The results are evaluated under diverse attack scenarios, which reveal that HDSL is functioning correctly. The HDSL enhances the SIEM correlation capabilities by providing a tranquil approach for writing the correlation rules.

previous article Towards secure and flexible EHR sharing in mobile health cloud under static assumptions

next article Computationally efficient privacy preserving authentication and key distribution techniques for vehicular ad hoc networks

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Katsaris, D.: Security information and event management systems: Benefits and Inefficiencies, Masters thesis, U. Piraeus, January, 2014

Swift, D.: A practical application of SIM/SEM/SIEM automating threat identification. 23 Dec 2006

Potts, G.: OSSIM user guide the book of OSSIM Open Source Software Image Map OSSIM, Document version 1.1 July 10, 2006

OSSEC community. http://www.ossec.net/files/ossec-hids-2.0.tar.gz. Accessed 2015

Prelude community. Prelude documentation. https://dev.prelude-ids.com/. Accessed 2015

OpenNMS Group and the Order of the Green Polo. Opennms website. http://www.opennms.org. Accessed 2015

D. Community, Drools website. http://www.jboss.org/drools/. Accessed 2015

Boley, H., Tabet, S., Wagner, G.: Design rationale for ruleML: a markup language for semantic web rules. In: SWWS, vol. 1, pp. 381–401 (2001)

Di Sarno, C., Formicola, V., Sicuranza, M., Paragliola, G.: Addressing security issues of electronic health record systems through enhanced siem technology. In: Eighth International Conference on Availability, Reliability and Security (ARES), IEEE, pp. 646–653 (2013)

10.

Sandoval, R.: The effects of SIEM technology in monitoring employee computer use, information technology security (ITSec) (2014)

11.

Kotenko, I., Chechulin, A. Common framework for attack modeling and security evaluation in SIEM systems. In: 2012 IEEE International Conference on Green Computing and Communications (GreenCom), IEEE (2012)

12.

Vianello, V., et al. A scalable SIEM correlation engine and its application to the olympic games IT infrastructure. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), IEEE (2013)

13.

Cheng, F., et al. Security Event Correlation Supported by Multi-Core Architecture. In: International Conference on IT Convergence and Security (ICITCS). IEEE (2013)

14.

Montesino, Raydel, Fenz, Stefan, Baluja, Walter: SIEM-based framework for security controls automation. Inf. Manag. Comput. Secur. 20(4), 248–263 (2012)CrossRef

15.

Patel, V.: A practical solution to improve cyber security on a global scale. Third Worldwide. IEEE, Cybersecurity Summit (WCS) (2012)

16.

Azodi, A., et al. A new approach to building a multi-tier direct access knowledgebase for IDS/SIEM Systems. In: IEEE 11th International Conference on Dependable, Autonomic and Secure Computing (DASC), IEEE (2013)

17.

Hansen, S.E., Atkins, E.T.: Automated system monitoring and notification with swatch. LISA 93, 145–152 (1993)

18.

Thompson, K:. An introduction to logsurfer. SysAdmin magazine. http://www.crypt.gen.nz/papers/logsurfer.html (2004)

19.

Simple-evcorr.sourceforge.net, ’SEC—open source and platform independent event correlation tool’, 2015. http://simple-evcorr.sourceforge.net/. Accessed 2015

20.

Espertech.com, ’EsperTech-Esper’, 2015. http://www.espertech.com/esper/index_redirected.php. Accessed 2015

21.

Prieto, E., et al.: MASSIF: a promising solution to enhance olympic games IT security. Global Security, Safety and Sustainability & e-Democracy. Springer, Berlin, pp. 139–147 (2012)

22.

Anicic, D., et al.: Web Reasoning and Rule Systems. A rule-based language for complex event processing and reasoning, pp. 42–57. Springer, Berlin (2010)CrossRef

23.

Anicic, D., et al.: EP-SPARQL: a unified language for event processing and stream reasoning. In: Proceedings of the 20th International Conference on World Wide Web. ACM (2011)

24.

Saleem, M., Jaafar, J., Hassan, M.: A domain-specific language for modelling security objectives in a business process models of SOA applications. In: AISS, vol. 4.1, pp. 353–362

25.

Atkins, D., Ball, T., Bruns, G., Cox, K.: Mawl: a domain-specific language for form-based services. IEEE Trans. Softw. Eng. 25(3), 334–346 (1999)CrossRef

26.

Websec.ca, Panoptic—a tool to exploit path traversal vulnerabilities. http://websec.ca/blog/view/panoptic (2015). Accessed 2015

27.

Bharadwaj, R.: SOLj: a domain-speci_c language (DSL) for secure service-based systems. In: Proceedings of the 11th IEEE International Workshop on Future Trends of Distributed Computing Systems (FTDCS’07), vol. 4, pp. 0-7695-2810 (2007)

28.

Kotenko, I, Polubelova, O, Saenko, I: The Ontological Approach for SIEM Data Repository Implementation Laboratory of Computer Security Problems. In: IEEE International Conference on Green Computing and Communications, Conference on Internet of Things, and Conference on Cyber, Physical and Social Computing (2012)

29.

Nrl.sourceforge.net, NRL: The Natural Rule Language. http://nrl.sourceforge.net/ (2015). Accessed 31 May 2015

30.

Malik, S.U.R., Khan, S.U.: Formal methods in LARGE-SCALE computing systems. ITNOW 55(2), 52–53 (2013)CrossRef

31.

Malik, S.U.R., Khan, S.U., Srinivasan, S.K.: Modeling and analysis of state of-the-art VM-based cloud management platforms. IEEE Trans. Cloud Comput. 1(1), 1 (2013)

32.

SMT-Lib. http://smt-lib.org/. Accessed 2015

33.

Barrett, C.: The SMT-LIB Standard Version 2.0, Release. 9 Sept 2012

34.

Jee, C.: Top 10 software failures of 2014, Computerworld UK, 2015. http://www.computerworlduk.com/galleries/infrastructure/top-10-software-failures-2014-3599528/. Accessed 2015

35.

de Moura, L.: Z3: an efficient SMT solver. In: Proc. Theory and Practice of Software, 14th Intl Conf. Tools and Algorithms for the Construction and Analysis of Systems (TACAS 08) (2008)

36.

Triam, R.D.S.A. https://demo.triam.com.pk/index.php/module/user/security/login. Accessed 2015

37.

Parr, T.: The Definitive ANTLR Reference. Pragmatic Bookshelf, Raleigh (2007)

38.

Karlsch, M: A model driven framework for domain specific languages demonstrated on a test automation language, Masters Thesis, March, 2007

39.

Kleppe, A., Warmer, J., Bast, W.: MDA Explained. The Model Driven Architecture: Practice and Promise. Addison-Wesley, Boston (2003)

40.

Bentley, J.L., McIlroy, M.D.: Engineering a sort function. Software 23(11), 1249 (1993)

41.

Jones, C.: Programming languages table, release 8.2, Software Productivity Research, Burlington (1996)

42.

Mernik, M., Heering, J., Sloane, A.M.: When and how to develop domain-specific languages. ACM Comput. Surv. 37(4), 316–344 (2005)CrossRef

43.

Prieto-Diaz, R.: Domain analysis: an introduction. SIGSOFT Softw. Eng. Notes 15(2), 4754 (1990)CrossRef

44.

Eclipse Foundation, Eclipse.org, 2015. https://eclipse.org/. Accessed 2015

45.

ASERG. www.aserg.com.pk. Accessed 2015

46.

Biere, A., Cimatti, A., Clarke, E.M., Strichman, O., Zhu, Y.: Advances in Computers. Bounded model checking, vol. 58, pp. 118–149. Academic Press, London (2003)

47.

Z3. https://github.com/z3prover/z3/wiki/Documentation. Accessed 2015

48.

Barrett, C.: Satisfiability Modulo Theories in Handbook of Satisfiability, vol. 185, pp. 825–885. IOS Press, Amsterdam (2009)

Title: A high-level domain-specific language for SIEM (design, development and formal verification)
Authors: Anam Nazir
Masoom Alam
Saif U. R. Malik
Adnan Akhunzada
Muhammad Nadeem Cheema
Muhammad Khurram Khan
Yang Ziang
Tanveer Khan
Abid Khan
Publication date: 27-03-2017
Publisher: Springer US
Published in: Cluster Computing / Issue 3/2017
Print ISSN: 1386-7857
Electronic ISSN: 1573-7543
DOI: https://doi.org/10.1007/s10586-017-0819-2

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 3/2017

Cost-aware horizontal scaling of NoSQL databases using probabilistic model checking

Achieving public verifiability and data dynamics for cloud data in the standard model

A scheme of AR-based personalized interactive broadcasting service in terrestrial digital broadcasting system

Value of service based resource management for large-scale computing systems

Parameter based tuning model for optimizing performance on GPU

Computationally efficient privacy preserving authentication and key distribution techniques for vehicular ad hoc networks

Premium Partner