Correlating IDS alerts with system logs by means of a network-centric SIEM solution
MetadataShow full item record
This thesis concerns the need for a network-centric Security Information and Event Management (SIEM) solution that correlates data based on network topology and traffic flow, and which takes into account the continuous change in such networks. The research question is raised based on the fact that current SIEM solutions are device-centric with minimal understanding of the causal relationship between log events. Furthermore, the used approaches are suboptimal in correlating data collected from scattered security systems (e.g. IDS, firewall), which requires security personnel to analyze larger data sets with potentially high false positive rate, rather than having the incidents validated, prioritized, and presented in a unified view. We have in this thesis proposed a conceptual model based on a network-centric approach, and performed a case study of this model using Cisco NetFlow. We observe the model through a series of attacks, and analyze whether the model is a more viable approach to deal with incidents in comparison to current approaches, and whether the approach makes it possible to reduce the number of alerts requiring follow-up and in prioritizing incidents more accurately. The study identifies several network characteristics that may influence the practical implementation of such a model and proposes a set of requirements that a network-centric model should fulfill.