Skip to main content

Using Extensible Metadata Definitions to Create a Vendor-Independent SIEM System

Part of the Lecture Notes in Computer Science book series (LNTCS,volume 9141)

Abstract

The threat of cyber-attacks grows up, as one can see by several negative security news and reports [8]. Today there are many security components (e.g. anti-virus-system, firewall, and IDS) available to protect enterprise networks; unfortunately, they work independently from each other – isolated. But many attacks can only be recognized if logs and events of different security components are combined and correlated with each other. Existing specifications of the Trusted Computing Group (TCG) already provide a standardized protocol for metadata collection and exchange named IF-MAP. This protocol is very useful for network security applications and for the correlation of different metadata in one common database. That circumstance again is very suitable for Security Information and Event Management (SIEM) systems. In this paper we present a SIEM architecture developed during a research project called SIMU. Additionally, we introduce a new kind of metadata that can be helpful for domains that are not covered by the existing TCG specifications. Therefore, a metadata model with unique data types has been designed for higher flexibility. For the realization two different extensions are discussed in this paper: a new feature model or an additional service identifier.

Keywords

  • Security Information and Event Management (SIEM)
  • Anomaly detection
  • IF-MAP
  • Metadata schema
  • Trusted computing
  • Feature model

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-20472-7_48
  • Chapter length: 15 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-20472-7
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   79.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. SIMU project website. http://www.simu-project.de

  2. Federal Ministry of Education and Research. http://www.bmbf.de/en/index.php

  3. Jamil, A.: The difference between SEM, SIM and SIEM, July 29, 2009

    Google Scholar 

  4. Williams, A.: The Future of SIEM – The market will begin to diverge, January 1, 2007

    Google Scholar 

  5. TCG: TNC IF-MAP Metadata for Network Security. Trusted Network Connect, Specification Version 1.1, Revision 8, Trusted Computing Group (2012)

    Google Scholar 

  6. TCG: TNC IF-MAP Binding for SOAP. Trusted Network Connect, Specification Version 2.2, Revision 9, Trusted Computing Group (2014)

    Google Scholar 

  7. Birkholz, H., Sieverdingbeck, I., Sohr, K., Bormann, C.: IO: an interconnected asset ontology in support of risk management processes. In: IEEE Seventh International Conference on Availability, Reliability and Security, pp. 534–541 (2012)

    Google Scholar 

  8. Shahd, M., Fliehe, M.: Fast ein Drittel der Unternehmen verzeichnen Cyberangriffe. BITKOM news release from 11th of March 2014, CeBIT, Hanover (2014)

    Google Scholar 

  9. ESUKOM project website. http://www.esukom.de

  10. Ahlers, V., Heine, F., Hellmann, B., Kleiner, C., Renners, L., Rossow, T., Steuerwald, R.: Replicable security monitoring: visualizing time-variant graphs of network metadata. In: Joint Proceedings of the Fourth International Workshop on Euler Diagrams (ED 2014) and the First International Workshop on Graph Visualization in Practice (GViP 2014) Co-located with Diagrams 2014, Number 1244 in CEUR Workshop Proceedings, pp. 32–41 (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Kai-Oliver Detken .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Detken, KO., Scheuermann, D., Hellmann, B. (2015). Using Extensible Metadata Definitions to Create a Vendor-Independent SIEM System. In: Tan, Y., Shi, Y., Buarque, F., Gelbukh, A., Das, S., Engelbrecht, A. (eds) Advances in Swarm and Computational Intelligence. ICSI 2015. Lecture Notes in Computer Science(), vol 9141. Springer, Cham. https://doi.org/10.1007/978-3-319-20472-7_48

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-20472-7_48

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-20471-0

  • Online ISBN: 978-3-319-20472-7

  • eBook Packages: Computer ScienceComputer Science (R0)