SIEM (Security Information Event Management) Model for Malware Attack Detection Using Suricata and Evebox

Abstract

Malware or malicious software is software or program code specifically designed to damage software on a computer or perform malicious activities. Malware is spread over the internet and includes viruses and other forms of malware. Losses caused by malware can take the form of financial losses or disruptions to business processes. Prevention of malware attacks can be achieved by analyzing the malware to find out how it works and what its characteristics are. This information can be utilized to define an Indicator of Compromise (IOC), which is stored in a Cyber Threat Intelligence (CTI) system designed to be used as a source of information, such as the Intrusion Prevention System (IPS) Suricata. An Intrusion Detection System (IDS) can detect the presence of malware and can identify the same malware with the Signature Based Detection method. Furthermore, the database is stored by EveBox and organized to make it easier to read logs and alerts. All of these components are contained in the Security Information and Event Management (SIEM) model. The SIEM model can detect malware attacks based on their characteristics and store logs and alerts in real-time for deeper analysis by the Security Operations Center (SOC).