In this section, elemental techniques applied in SIEMs are described and the various ingenu-ities that are administered to sniff out malicious user intention. These tools focus on specific qualities of the data to mine intelligent patterns that can trace irregularities, it can also be determined if geolocation data can benefit within these mining techniques.
2.2.1 Event Normalisation
A SIEM framework performs the task of centrally combining all security data for unified analysis, normalisation is the process that makes this possible. The process of taking raw data input and extracting only relevant fields is called normalisation, for example, when collecting data from various sources, the range and formats in which the data is received varies extensively. These events are converted into a standardised format using a generic schema, not only does this help combining data but it also aids better comparison of events.
The main purpose of the event normalisation technique is to create this common event format which all source data can be translated into, enabling the unified comparison and collection of information across the entire network.
2.2.2 Event Correlation
Security events need to be analysed from as many sources as possible to aid threat assess-ment for the appropriate response, the greater the number of sources the better the potential situational awareness can be invoked. From this, enters samaritan methods such as event correlation. Event correlation is a technique for analysing a large number of events and indi-cating the few events that are really important in that mass of information.
Correlation is the process of transforming a sequence of events matching certain conditions to output an event. The output event is an indication of a triggered alarm to indicate the identification of a pattern. These patterns are event sequences corresponding to suspicious
behaviour such as cyber attacks or an unauthorised login. Listed below are just a few of the many attacks that correlation rules can detect through their pattern-based analysis:
• Web service attacks (e.g. SQL injections, cross site scripting, etc.)
• Bruteforce authentication attacks across protocols (e.g. Secure Shell (SSH), Lightweight Directory Access (LDAP))
• Policy violations (e.g. the use of torrents, anonymous proxies)
• Distributed denial of service attacks (DDoS)
The events generated from the correlation process are sent to the server as an event from the SIEM sensors, and is stored in the SIEM databases to keep a record of the triggering event incident. The real-time correlation of events greatly aids security administrators in filtering through the extensive loads of security events entering the SIEM framework and highlight data of security relevance, indicating activity with high potential of malfeasance.
2.2.3 Process Mining
Some advanced tools used for the evaluation of security events make use of process mining.
This concerns the extraction of knowledge of a business process from sources such as process execution logs. This alternate perspective of mining aims to gain insight from varied views such as process flow control and performance[50].
In such cases, the tool analyses the known-control flow of the event-driven processes involved against any deviations from required security properties for that environment. Deviations can be found from anomalies caused by attacker interactions, problems incurred with mea-surements(e.g loss of events) or an evolution in the process specification[27].
Figure 2.2 is an example of event processing performed by MASSIFs process mining tool[27], the Predictive Security Analyser (PSA); to use this technique, there a few steps that need to be followed. First, certain security requirements are identified that the event-driven processes need to adhere to, sort of like the business rules of a process flow.
These rules are specifications of the required security properties the monitored process should adhere to. Process specifications can be determined from process discovery tools e.g. Petri Net specifications can converted by ProM, a downloadable process mining tool1 that caters for many modeling languages.
After the requirements have been determined a process model is created that will encompass the incoming events and the events themselves need to be made available in real-time through a collecting process.
If a critical state is incurred (violation of business rules) the tool provides a process-oriented visualisation of the problem, providing a method of situational awareness of process states and alarm generation methods that can be directed to reporting into the central response center of a SIEM.
1http://www.promtools.org/prom6/
Figure 2.2: PSA Event Processing[27]
2.2.4 Attack Graphs
Security violations in a network can be caused by many factors such as security policy er-rors, system vulnerabilities, incorrect configurations and other security miscalculations. A malicious agent will use such vulnerabilities in the network as methods for penetration of the system. An assault follows a chain of attacks from one point of entry to the intended target machine. This includes different network resources and a myriad of different types of attack actions. The step-by-step compromise can realise different security threats and possibilities in network compromise.
An attack graph is a route calculation taken by an attacker through system vulnerabilities.
The graph can be seen as a collection of scenarios showing the various methods in which a malicious agent can compromise a target system. The correctness of a graph refers to the mitigation of an attacker route. The execution is successful or correct if the attacker cannot reach the intended target of compromise. The level of correctness is defined as a security property[55]. An example of a security property in a computer network would be a statement like the intruder cannot get root access on the web server. similiar to the security requirements required in the process mining tool process discussed earlier.
In SIEM systems, the security administrator is tasked with checking network configurations and security procedures to mitigate the level of vulnerability. Through the use of these graphs
the administrator can perform security checks at various stages:
Exploitation Stage Current security event and alerts can be taken into account as well as changes in the configurations of computer networks. This includes the identification of new vulnerabilities, attack exploits and services to be added. The analysis is a continuous process of network monitoring, vulnerability assessment and security level evaluation.
System Design, First Stage Analysis The specifications of network configuration and se-curity policies facilitate the main input for performing sese-curity analysis.
Operational Stage The main input is the actual parameters of the network configuration and security policy including the alarm and security event sequences.
Therefore, system administrators would use such a tool to determine the security measures that need to be deployed to patch the detected vulnerabilities[55].