Providing SIEM systems with self-adaptation

• Our system optimizes the main SIEM functionalities by applying powerful AI techniques.
• We introduce an enhanced context-based event classifier based on Neural Networks, called CON-TEXTUAL.
• We introduce an enhanced SIEM correlation engine based on Genetic Programming, called GENIAL.
• Our system is designed to be self-adaptive as the inferred correlation data can autonomously evolve.
• A real integration of our proposal within a SIEM platform (OSSIM) is conducted to evaluate its goodness.

Security information and event management (SIEM) is considered to be a promising paradigm to reconcile traditional intrusion detection processes along with most recent advances on artificial intelligence techniques in providing automatic and self-adaptive systems. However, classic management-related flaws still persist, e.g. the fusion of large amounts of security events reported from many heterogeneous systems, whilst novel intriguing challenges arise specially when dealing with the adaptation to newly encountered and multi-step attacks. In this article, we provide SIEM correlation with self-adaptation capabilities to optimize and significantly reduce the intervention of operators. In particular, our enhanced correlation engine automatically learns and produces correlation rules based on the context for different types of multi-step attacks using genetic programming. The context is considered as the knowledge and reasoning, not only acquired by a human expert but also inferred by our system, which assist in the identification and fusion of events. In this regard, a number of artificial neural networks are trained to classify events according to the corresponding context established for the attack. Experimentation is conducted on a real deployment within OSSIM to validate our proposal.

Figure optionsDownload as PowerPoint slide