A Dynamically Configurable Log-based Distributed Security Event Detection Methodology using Simple Event Correlator

Abstract

This research effort identifies attributes of distributed event correlation which make it desirable for security event detection, and evaluates those attributes in a comparison with a centralized alternative. Event correlation is an effective means of detecting complex situations encountered in information technology environments. Centralized, database-driven log event correlation is more commonly implemented, but suffers from flaws such as high network bandwidth utilization, significant requirements for system resources, and difficulty in detecting certain suspicious behaviors. This analysis measures the value in distributed event correlation by considering network bandwidth utilization, detection capability and database query efficiency, as well as through the implementation of remote configuration scripts and correlation of multiple log sources. These capabilities produce a configuration which allows a 99% reduction of network syslog traffic in the low-accountability case, and a significant decrease in database execution time through context-addition in the high-accountability case.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 01, 2010
Accession Number
ADA523531

Entities

People

  • Justin Myers

Organizations

  • Air Force Institute of Technology

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Air Force
  • Artificial Intelligence
  • Computer Crime
  • Computer Network Security
  • Computer Programming
  • Computer Programs
  • Computers
  • Cyberattacks
  • Cybersecurity
  • Cyberspace Operations
  • Databases
  • Department Of Defense
  • Information Systems
  • Intrusion Detection
  • Operating Systems
  • Shell Scripts
  • Web Browsers

Fields of Study

  • Computer science

Readers

  • Computer Networking
  • Parallel and Distributed Computing.
  • Sensor Fusion and Tracking Systems.