Towards a Security Event Data Taxonomy

  • Gustavo Gonzalez-Granadillo
  • José Rubio-Hernán
  • Joaquin Garcia-AlfaroEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10694)


The information required to build appropriate impact models depends directly on the nature of the system. The information dealt by health care systems, for instance, is particularly different from the information obtained by energy, telecommunication, transportation, or water supply systems. It is therefore important to properly classify the data of security events according to the nature of the system. This paper proposes an event data classification based on four main aspects: (i) the system’s criticality, i.e., critical vs. non-critical; (ii) the geographical location of the target system, i.e., internal vs. external; (iii) the time at which the information is obtained and used by the attacker i.e., a priory vs. a posteriori; and (iv) the nature of the data, i.e., logical vs. physical. The ultimate goal of the proposed taxonomy is to help organizations in the assessment of their assets and events.


Security event taxonomy Data classification Risk assessment Countermeasure selection 


  1. 1.
    Bielecki, M., Quirchmayr, G.: A prototype for support of computer forensic analysis combined with the expected knowledge level of an attacker to more efficiently achieve investigation results. In: International Conference on Availability, Reliability and Security, pp. 696–701 (2010)Google Scholar
  2. 2.
    Cayirci, E., Ghergherehchi, R.: Modeling cyber attacks and their effects on decision process. In: Winter Simulation Conference (2011)Google Scholar
  3. 3.
    Kotenko, I., Doynikova, E.: Countermeasure selection in SIEM systems based on the integrated complex of security metrics. In: 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (2015)Google Scholar
  4. 4.
    Granadillo, G.G., Garcia-Alfaro, J., Debar, H.: Using a 3D geometrical model to improve accuracy in the evaluation and selection of countermeasures against complex cyber attacks. In: Thuraisingham, B., Wang, X.F., Yegneswaran, V. (eds.) SecureComm 2015. LNICST, vol. 164, pp. 538–555. Springer, Cham (2015). CrossRefGoogle Scholar
  5. 5.
    Gonzalez-Granadillo, G., Rubio-Hernan, J., Garcia-Alfaro, J., Debar, H.: Considering internal vulnerabilities and the attacker’s knowledge to model the impact of cyber events as geometrical prisms. In: Conference on Trust, Security and Privacy in Computing and Communications (2016)Google Scholar
  6. 6.
    Gonzalez-Granadillo, G., Garcia-Alfaro, J., Debar, H.: An n-sided polygonal model to calculate the impact of cyber security events. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 87–102. Springer, Cham (2017). CrossRefGoogle Scholar
  7. 7.
    Kissel, R.: Glossary of key information security terms, Revision 2. National Institute of Standards and Technology. U.S. Department of Commerce (2013)Google Scholar
  8. 8.
    Gordon, K., Dion, M.: Protection of critical infrastructure and the role of investment policies relating to national security. OECD, White paper (2008)Google Scholar
  9. 9.
    Sohn Associates: Electricity Distribution System Losses. Non Technical Overview, White paper (2009)Google Scholar
  10. 10.
    Singapore, Public Utilities Board: Managing the water distribution network with a smart water grid. Int. J. @qua - Smart ICT Water (Smart Water) 1(4), 1–13 (2016)Google Scholar
  11. 11.
    Coppolino, L., D’Antonio, S., Formicola, V., Romano, L.: Integration of a system for critical infrastructure protection with the OSSIM SIEM Platform: a dam case study. In: Flammini, F., Bologna, S., Vittorini, V. (eds.) SAFECOMP 2011. LNCS, vol. 6894, pp. 199–212. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  12. 12.
    Norman, T.L.: Risk Analysis and Security Countermeasure Selection. CRC Press, Taylor & Francis Group, Boca Raton (2010)Google Scholar
  13. 13.
    Howard, M., Pincus, J., Wing, J.M.: Measuring relative attack surfaces. In: Computer Security in the 21st Century, pp. 109–137 (2005)Google Scholar
  14. 14.
    Manadhata, P.K., Wing, J.M.: An attack surface metric. IEEE Trans. Softw. Eng. 37(3), 371–386 (2010)CrossRefGoogle Scholar
  15. 15.
    Abbas, A., Saddik, A.E., Miri, A.: A comprehensive approach to designing internet security taxonomy. In: Proceedings of the Canadian Conference on Electrical and Computer Engineering, pp. 1316–1319 (2006)Google Scholar
  16. 16.
    Noureldien, A.: A novel taxonomy of MANET attacks. In: Conference on Electrical and Information Technologies ICEIT (2015)Google Scholar
  17. 17.
    Li, N., Tripunitara, M.: Security analysis in role-based access control. Trans. Inf. Syst. Secur. 9(4), 391–420 (2006)CrossRefGoogle Scholar
  18. 18.
    Cuppens, F., Cuppens-Boulahia, N.: Modeling contextual security policies. Int. J. Inf. Secur. 7(4), 285–305 (2008)CrossRefzbMATHGoogle Scholar
  19. 19.
    Krautsevich, L., Martinelli, F., Yautsiukhin, A.: Towards modelling adaptive attacker’s behaviour. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds.) FPS 2012. LNCS, vol. 7743, pp. 357–364. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  20. 20.
    Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system Version 2.0, Specification Document, June 2007Google Scholar
  21. 21.
    Harrison, K., White, G.: A taxonomy of cyber events affecting communities. In: Proceedings of the 44th Hawaii International Conference on System Sciences (2011)Google Scholar
  22. 22.
    Shinder, D.: Scenes of the Cybercrime. Computer Forensics Handbook. Syngress Publishing Inc., Burlington (2002)Google Scholar
  23. 23.
    Libicki, M.: Brandishing cyberattack capabilities. National Defense Research Institute, white paper (2013)Google Scholar
  24. 24.
    Danyliw, R., Meijer, J., Demchenko, Y.: The incident object description exchange format (IODEF), RFC5070, December 2007Google Scholar
  25. 25.
    Gerhards, R., Adiscon GmbH: The syslog protocol. Network Working Group (2009)Google Scholar
  26. 26.
    Debar, H., Curry, D., Feinstein, B.: The intrusion detection message exchange format (IDMEF), RFC4765 (2007)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Gustavo Gonzalez-Granadillo
    • 1
  • José Rubio-Hernán
    • 2
  • Joaquin Garcia-Alfaro
    • 2
    Email author
  1. 1.Atos Research & Innovation, Cybersecurity LaboratoryBarcelonaSpain
  2. 2.Institut Mines-Télécom, Télécom SudParis, CNRS UMR 5157 SAMOVAREvryFrance

Personalised recommendations