Rule Generation for TCP SYN Flood attack in SIEM Environment

Security Information and Event Management (SIEM) is a combination of Security Information Management and Security Event Management. SIEM helps in the collection of events from heterogeneous devices and ordering into Common Event Format. The events collected are correlated and observed for changes in the system behaviour. Homogeneous Events such as DoS/Probe attacks can be detected by monitoring single event source. In this paper, TCP SYN flood attack is considered. RETE algorithm is applied on the network event attributes to formulate the rules and stored in database. An alert is triggered, when the rule for TCP SYN attack is matched.