As cyber-attacks increase in frequency and sophistication, the need for intelligent automated defenses increases, but the quality of software logs available for this purpose is questionable. To address this problem a whole new approach to logging is proposed in this paper, one called semantic events. The approach developed out of an empirical, qualitative investigation of a range of logs and existing standards, and is motivated by the desire to normalize events in order to conduct broad cross-log analyses to detect security issues. A key finding is that logs are often hard to understand. An analysis of the causes of this led to the development of a linguistics-inspired event model and a method to interpret and represent logs using a kind of controlled natural language, the essence of the semantic events. They are convertible to an ontology that can be loaded into Protégé to perform reasoning and consistency checking. Crucially, they are stored in a knowledge base for re-use across logs to enable broad analyses.
KeywordsSemantic event Event model Logging Security Semantics Ontology Protégé Controlled natural language
This work was made possible by the encouragement and support of highly valued colleagues.
- 1.Oliner, A., Stearley, J.: What supercomputers say: a study of five system logs. In: 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2007, Edinburgh, pp. 575–584 (2007)Google Scholar
- 3.Kent, K., Souppaya, M.: Guide to Computer Security Log Management, NIST Special Publication 800-92, p. 5 (2006)Google Scholar
- 5.Bonial, C., Corvey, W., Palmer, M., Petukhova, V., Bunt, H.: A hierarchical unification of LIRICS and VerbNet semantic roles. In: Proceedings of the ICSC Workshop on Semantic Annotation for Computational Linguistic Resources (SACL-ICSC 2011), September 2011 Google Scholar
- 6.Protégé. http://protege.stanford.edu/
- 7.Tognini-Bonelli, E.: Working with corpora: issues and insights. In: Coffin, C., et al. (eds.) Applying English Grammar. The Open University, Arnold (2004)Google Scholar
- 9.Palo Alto Networks: Common Event Format Configuration Guide, May (2014). https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/cef/pan-os-60-CEF-guide.pdf
- 10.Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Hierarchical object log format for normalisation of security events. In: Information Assurance and Security (IAS 2013), pp. 25–30, December 2013Google Scholar
- 11.Feiertag, R., et al.: A Common Intrusion Specification Language (CISL). DARPA, 6 May 1999. http://gost.isi.edu/cidf/drafts/language19990506.txt
- 12.The CEE Board: Common Event Expression. MITRE (2008). https://cee.mitre.org/docs/Common_Event_Expression_White_Paper_June_2008.pdf
- 13.McGuire, G., Reid, E.: The State of Security Automation Standards - 2011: A Survey. MITRE (2011). http://www.mitre.org/sites/default/files/pdf/11_3822.pdf
- 14.DMTF: Cloud Audit Data Federation - OpenStack Profile: (CADF-OpenStack) A CADF Representation for OpenStack, version 1.1.0 (2015). http://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf
- 15.IBM: IBM Qradar Security Intelligence Platform 7.2.5. http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/c_qradar_adm_event_categories.html
- 16.Novell: Sentinel Event Schema. https://www.novell.com/developer/plugin-sdk/event_schema.html