Advances in Cyber Security Analytics and Decision Systems by Shishir K. Shandilya & Neal Wagner & Atulya K. Nagar

Author:Shishir K. Shandilya & Neal Wagner & Atulya K. Nagar
Language: eng
Format: epub
ISBN: 9783030193539
Publisher: Springer International Publishing

2 The Peculiarities of Event Correlation and Security Assessment

The event correlation allows one to detect security incidents, as well as the chains of security events that led to these incidents. In the chapter we consider the correlation process as a whole, and such its key stages as normalization, aggregation, and directly correlation (other stages, namely, filtering, anonymization and prioritization are out of scope of this chapter), as well as the main methods of data correlation and security data sources.

Existing security management systems usually implement a rule-oriented approach to event processing. The disadvantages of using this approach consist in its complexity and large time costs required to determine the rules manually. In addition, the effectiveness of correlation, when applying this approach, directly depends on the qualification of administrator, who determines the rules.

The data mining is preferable for the efficient security management because it allows correlating unconditional events with minimal manual settings. The approach proposed in the chapter is based on a syntactic and semantic analysis of security events and information. It is designed to implement the process of adaptive data correlation in large-scale heterogeneous uncertain infrastructures.

The uncertainty of an infrastructure is determined by the absence of any previously known information about its architecture, the type of its elements, their characteristics and relationships.

The large scale of the infrastructure is determined by the conditionally unlimited number of information sources and their types. The key feature of the approach is definition of various relationships between the properties of events within the automated adaptation of the correlation process. The result of analysis of the obtained relationships is a type and structural definition of the analyzed infrastructure, or its approximation, including detection of the most stable connections between its elements. In the chapter, we describe the model of uncertain infrastructure and the techniques of correlation of security events and information.

The security assessment task is related to identification, analysis and evaluation of the security risks. The chapter describes our approach to the security assessment based on the Bayesian attack graphs (that represent all possible attack paths in the system and their probabilities) and open security data representation standards, including common platform enumeration standard, common vulnerabilities and exposures standard, and common vulnerability scoring system (CVSS).

We outline advantages and disadvantages of this approach and explain the reasons and advantages of the transition to the approach based on the security data mining. In particular, in the risk analysis scope, the risks should be quantified. This task is divided into the task of calculating impact in case of successful attacks, and the task of calculating the probability of successful attacks.

To calculate possible impact, first of all, it is necessary to determine the assets of information system and calculate their criticality. These tasks are often solved manually by the experts. The manual determination of the infrastructure of information system and its primary and secondary assets is complicated, especially if the infrastructure is constantly changing. Therefore, for its automation, we suggest using the correlation and data mining methods described in the chapter, including

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.