Implementing a Semantic Approach for Events Correlation in SIEM Systems

Abstract

Efficient reasoning in intrusion detection needs to manipulate different information provided by several analyzers in order to build a reliable overview of the underlying monitored system trough a central security information and event management system (SIEM). SIEM provides many functions to take benefit of collected data, such as Normalization, Aggregation, Alerting, Archiving, Forensic analysis, Dashboards, etc. The most relevant function is Correlation, when we can get a precise and quick picture about threats and attacks in real time. Since information provided by SIEM is in general structured and can be given in XML, we propose in this paper to use an ontological representation based on Description Logics (DLs) which is a powerful tool for knowledge representation and reasoning. Indeed, Ontology provides a comprehensive environment to represent any kind of information in intrusion detection. Moreover, basing on DLs and rules, Ontology is able to ensure a decidable reasoning. Basing on the proposed ontology, an alert correlation prototype is implemented and two attack scenarios are carried out to show the usefulness of the semantic approach.