Using Extensible Metadata Definitions to Create a Vendor-Independent SIEM System

  • Kai-Oliver Detken
  • Dirk Scheuermann
  • Bastian Hellmann
Conference paper

DOI: 10.1007/978-3-319-20472-7_48

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9141)
Cite this paper as:
Detken KO., Scheuermann D., Hellmann B. (2015) Using Extensible Metadata Definitions to Create a Vendor-Independent SIEM System. In: Tan Y., Shi Y., Buarque F., Gelbukh A., Das S., Engelbrecht A. (eds) Advances in Swarm and Computational Intelligence. ICSI 2015. Lecture Notes in Computer Science, vol 9141. Springer, Cham

Abstract

The threat of cyber-attacks grows up, as one can see by several negative security news and reports [8]. Today there are many security components (e.g. anti-virus-system, firewall, and IDS) available to protect enterprise networks; unfortunately, they work independently from each other – isolated. But many attacks can only be recognized if logs and events of different security components are combined and correlated with each other. Existing specifications of the Trusted Computing Group (TCG) already provide a standardized protocol for metadata collection and exchange named IF-MAP. This protocol is very useful for network security applications and for the correlation of different metadata in one common database. That circumstance again is very suitable for Security Information and Event Management (SIEM) systems. In this paper we present a SIEM architecture developed during a research project called SIMU. Additionally, we introduce a new kind of metadata that can be helpful for domains that are not covered by the existing TCG specifications. Therefore, a metadata model with unique data types has been designed for higher flexibility. For the realization two different extensions are discussed in this paper: a new feature model or an additional service identifier.

Keywords

Security Information and Event Management (SIEM) Anomaly detection IF-MAP Metadata schema Trusted computing Feature model 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Kai-Oliver Detken
    • 1
  • Dirk Scheuermann
    • 2
  • Bastian Hellmann
    • 3
  1. 1.DECOIT GmbHBremenGermany
  2. 2.Fraunhofer Institute for Secure Information TechnologyDarmstadtGermany
  3. 3.University of Applied Sciences and Arts of HanoverHanoverGermany

Personalised recommendations