The technology of Security Information and Event Management (SIEM) becomes one of the most important research applications in the area of computer network security. The overall functionality of SIEM systems depends largely on the quality of solutions implemented at the data storage level, which is purposed for the representation of heterogeneous security events, their storage in the data repository, and the extraction of relevant data for analytical modules of SIEM systems. The paper discusses the key issues of design and implementation of a hybrid SIEM data repository, which combines relational and ontological data representations. Based on the analysis of existing SIEM systems and standards, the ontological approach is chosen as a core component of the repository, and an example of the ontological data model for vulnerabilities representation is outlined. The hybrid architecture of the repository is proposed for implementation in SIEM systems. Since the most of works on the repositories of SIEM systems is based on the relational data model, the paper focuses mainly on the ontological part of the hybrid approach. To test the repository we used the data model intended for attack modeling and security evaluation, which includes both ontological and relational dimensions.
References
[1]
Miller, D.; Harris, S.; Harper, A.; VanDyke, S.; Blask, C. Security Information and Event Management (SIEM) Implementation; McGraw-Hill Companies: Columbus, OH, USA, 2011.
Baader, F.; Horrocks, I.; Sattler, U. Description logics as ontology languages for the semantic web. Mech. Math. Reason. 2005, 2605, 228–248.
[4]
Herzog, A.; Shahmehri, N.; Duma, C. An ontology of information security. Int. J. Inf. Secur. Privacy 2007, 1, 1–23, doi:10.4018/jisp.2007100101.
[5]
López de Vergara, J.E.; Villagrá, V.A.; Holgado, P.; de Frutos, E.; Sanz, I. A semantic Web approach to share alerts among security information management systems. Commun. Comput. Inf. Sci. 2010, 72, 27–38, doi:10.1007/978-3-642-16120-9_14.
[6]
Cruz, I.F.; Gjomemo, R.; Lin, B.; Orsini, M. A Constraint and Attribute Based Security Framework for Dynamic Role Assignment in Collaborative Environments. In Proceedings of the 4th International Conference on Collaborative Computing, Orlando, FL, USA, 13–16 November 2008; pp. 322–339.
[7]
Kolovski, V.; Hendler, J.; Parsia, B. Analyzing Web Access Control Policies. In Proceedings of the 16th international Conference on World Wide Web, Banff, AB, Canada, 8–12 May 2007; pp. 677–686.
[8]
Rochaeli, T.; Eckert, C. RBAC Policy Engineering with Patterns. In Proceedings of the Semantic Web and Policy Workshop, Galway, Ireland, 7 November 2005.
[9]
Fitzgerald, W.M.; Foley, S.N.; O’Foghlu, M. Confident Firewall Policy Configuration Management using Description Logic. In Proceedings of the Twelfth Nordic Workshop on Secure IT Systems, Reykjavik, Iceland, 11–12 October 2007.
[10]
Taylor, K.; Leidinger, L. Ontology-Driven Complex Event Processing in Heterogeneous Sensor Networks. The Semanic Web: Research and Applications. In Proceedings of the 8th Extended Semantic Web Conference (ESWC’11), Heraklion, Greece, 29–30 May 2011; pp. 285–299.
[11]
Razzaq, A.; Ahmed, H.F.; Hur, A.; Haider, N. Ontology Based Application Level Intrusion Detection System by Using Bayesian Filter. In Proceedings of 2nd International Conference on Computer, Control and Communication (IC4), Karachi, Pakistan, 17–18 February 2009; pp. 1–6.
[12]
Rochaeli, T.; Eckert, C. Attack Goal Generation Using Description Logic-Based Knowledge Representation. In Proceedings of the 2005 International Workshop on Description Logics (DL2005), Edinburgh, Scotland, UK, 26–28 July 2005.
[13]
Schatz, B.; Mohay, G.; Clark, A. Generalizing Event Forensics across Multiple Domains. In Proceedings of the 2nd Australian Computer Network & Information Forensics Conference (Forensics 2004), Edith Cowan University, Perth, Australia, 25 November 2004; pp. 136–144.
[14]
Kenaza, T.; Yahi, S.; Benferhat, S. From representing contextual intrusion detection information in description logics to monitoring target events. Agence Natl. Rech. Délivr. 2006, 10, 1–19.
[15]
Nicolett, M.; Kavanagh, K.M. Critical Capabilities for Security Information and Event Management. Gartner RAS Core Research Note G00 212420; Gartner: Stamford, CT, USA, 2012.
[16]
Ogle, D.; Kreger, H.; Salahshour, A.; Cornpropst, J.; Labadie, E.; Chessell, M.; Horn, B.; Gerken, J.; Schoech, J.; Wamboldt, M. Canonical Situation Data Format: The Common Base Event V1.0.1; International Business Machines Corporation: Armonk, NY, USA, 2004.
[17]
Common Event Format. Available online: http://www.arcsight.com/solutions_cef.htm (accessed on 25 January 2013).
[18]
Curry, D.; Debar, H. Intrusion detection message exchange format data model and extensible markup language (XML) document type definitionTechnical report. IETF Intrusion Detection Working Group, 2003. 2003. Available online: http://www.ietf.org/proceedings/50/I-D/idwg-idmef-xml-03.txt (accessed on 25 January 2013).
[19]
Common Information Model (CIM), DMTF. Available online: http://dmtf.org/standards/cim (accessed on 25 January 2013).
[20]
Security Content Automation Protocol (SCAP). Available online: http://scap.nist.gov (accessed on 25 January 2013).
[21]
Kotenko, I.; Chechulin, A.; Novikova, E. Attack Modelling and Security Evaluation for Security Information and Event Management. In Proceedings of the International Conference on Security and Cryptography (SECRYPT 2012), Rome, Italy, 24–27 July 2012; pp. 391–394.
[22]
Kotenko, I.; Polubelova, O.; Saenko, I. Data Repository for Security Information and Event Management in Service Infrastructures. In Proceedings of 9th International Joint Conference on e-Business and Telecommunications (ICETE 2012). International Conference on Security and Cryptography (SECRYPT 2012), Rome, Italy, 24–27 July 2012; pp. 308–313.
[23]
Garcia-Molina, H.; Ullman, J.D.; Widom, J.D. Database Systems. The Complete Book, 2nd ed. ed.; Pearson Prentice Hall: Upper Saddle River, NJ, USA, 2009.
[24]
Marco, D. Building and Managing the Meta Data Repository: A Full Lifecycle Guide; Wiley: Hoboken, NJ, USA, 2000.
[25]
Triple Store Evaluation Analysis Report, Revelytix Inc. Sparks, MD, USA, 2010.
[26]
Kotenko, I.; Polubelova, O.; Saenko, I. The Ontological Approach for SIEM Data Repository Implementation. In Proceeding of the2012 IEEE International Conference on Green Computing and Communications, Conference on Internet of Things, and Conference on Cyber, Physical and Social Computing, Besan?on, France, 20–23 November 2012; pp. 761–766.
[27]
Barret, R. XML Database Products: Native XML Databases. 2010. Available online: http://www.rpbourret.com/xml/ProdsNative.htm (accessed on 25 January 2013).
[28]
Storage and Inference Layer Solutions. Available online: http://alexidsa.blogspot.com/2009/12/sail.html (accessed on 25 January 2013).
[29]
Virtuoso. Available online: http://virtuoso.openlinksw.com (accessed on 25 January 2013).
[30]
Comparison of Triple Stores. Available online: http://www.bioontology.org/wiki/images/6/6a/Triple_Stores.pdf (accessed on 25 January 2013).
[31]
Web Services Description Language (WSDL) 1.1. Available online: http://www.w3.org/TR/wsdl (accessed on 25 January 2013).
[32]
Web Services. Available online: http://www.w3.org/2002/ws/ (accessed on 25 January 2013).
