Detecting Security Violations Based on Multilayered Event Log Processing, Journal of Telecommunications and Information Technology, 2015, nr 4

Kozakiewicz, Adam; Lasota, Krzysztof; Malec, Przemysław; Piwowar, Anna

- ris
- BibTeX

Detecting Security Violations Based on Multilayered Event Log Processing, Journal of Telecommunications and Information Technology, 2015, nr 4 Kozakiewicz, Adam; Lasota, Krzysztof; Malec, Przemysław; Piwowar, Anna

Object structure

Detecting Security Violations Based on Multilayered Event Log Processing, Journal of Telecommunications and Information Technology, 2015, nr 4

Kozakiewicz, Adam ; Lasota, Krzysztof ; Malec, Przemysław ; Piwowar, Anna

log analysis ; NIDS ; HIDS ; syslog

design. First layer, named the event source layer, describes sources of information that can be used for misuse investigation. Transport layer represents the method of collecting event data, preserving it in the form of logs and passing it to another layer, called the analysis layer. This third layer is responsible for analyzing the logs' content, picking relevant information and generating security alerts. Last layer, called normalization layer, is custom software which normalizes and correlates produced alerts to raise notice on more complex attacks. Logs from remote hosts are collected by using rsyslog software and OSSEC HIDS with custom decoders and rules is used on a central log server for log analysis. A novel method of handling OSSEC HIDS alerts by their normalization and correlation is proposed. The output can be optionally suppressed to protect the system against alarm flood and reduce the count of messages transmitted in the network.

National Institute of Telecommunications

2015, nr 4

artykuł

application/pdf

ISSN 1509-4553, on-line: ISSN 1899-8852

Journal of Telecommunications and Information Technology

ang

Biblioteka Naukowa Instytutu Łączności

Citation