Correlating IDS alerts with system logs by means of a network-centric SIEM solution
Master thesis
Permanent lenke
http://hdl.handle.net/11250/143982Utgivelsesdato
2011Metadata
Vis full innførselSamlinger
Sammendrag
This thesis concerns the need for a network-centric Security Information and Event Management
(SIEM) solution that correlates data based on network topology and traffic flow, and which takes
into account the continuous change in such networks. The research question is raised based
on the fact that current SIEM solutions are device-centric with minimal understanding of the
causal relationship between log events. Furthermore, the used approaches are suboptimal in
correlating data collected from scattered security systems (e.g. IDS, firewall), which requires
security personnel to analyze larger data sets with potentially high false positive rate, rather
than having the incidents validated, prioritized, and presented in a unified view.
We have in this thesis proposed a conceptual model based on a network-centric approach,
and performed a case study of this model using Cisco NetFlow. We observe the model through a
series of attacks, and analyze whether the model is a more viable approach to deal with incidents
in comparison to current approaches, and whether the approach makes it possible to reduce the
number of alerts requiring follow-up and in prioritizing incidents more accurately. The study
identifies several network characteristics that may influence the practical implementation of such
a model and proposes a set of requirements that a network-centric model should fulfill.