MASSIF: A Highly Scalable SIEM



Similar documents
A Scalable SIEM Correlation Engine and its Application to the Olympic Games IT Infrastructure

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Distributed Denial of Service Attacks & Defenses

Chapter 11 Cloud Application Development

How To Block A Ddos Attack On A Network With A Firewall

Testing Network Security Using OPNET

Prevention, Detection, Mitigation

STONE: A Stream-based DDoS Defense Framework

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Application Defined E2E Security for Network Slices. Linda Dunbar Diego Lopez

Concept and Project Objectives

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls Overview and Best Practices. White Paper

StreamCloud: An Elastic and Scalable Data Streaming System

基 於 SDN 與 可 程 式 化 硬 體 架 構 之 雲 端 網 路 系 統 交 換 器

Lecture 02b Cloud Computing II

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Real-time distributed Complex Event Processing for Big Data scenarios

TRILL Large Layer 2 Network Solution

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

FIREWALL AND NAT Lecture 7a

Flexible Data Streaming In Stream Cloud

How Cisco IT Protects Against Distributed Denial of Service Attacks

Avaya P333R-LB. Load Balancing Stackable Switch. Load Balancing Application Guide

SIMPLE NETWORKING QUESTIONS?

Online Network Traffic Security Inspection Using MMT Tool

Denial of Service Attacks and Resilient Overlay Networks

Complete Protection against Evolving DDoS Threats

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Redefine Network Visibility in the Data Center with the Cisco NetFlow Generation Appliance

Configuring DHCP Snooping

Preventing Resource Exhaustion Attacks in Ad Hoc Networks

MASSIF: A Promising Solution to Enhance Olympic Games IT Security

INTRODUCTION TO FIREWALL SECURITY

Acquia Cloud Edge Protect Powered by CloudFlare

Automated Mitigation of the Largest and Smartest DDoS Attacks

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

Complex Event Processing (CEP) - A Primer

Network provider filter lab

Scalable DDoS mitigation using BGP Flowspec

Massive Cloud Auditing using Data Mining on Hadoop

Automated Mitigation of the Largest and Smartest DDoS Attacks

TIME TO RETHINK NETWORK SECURITY

A Network Design Primer

VMDC 3.0 Design Overview

Testing L7 Traffic Shaping Policies with IxChariot IxChariot

Cisco IOS Flexible NetFlow Technology

Stateful Firewalls. Hank and Foo

Relational Databases in the Cloud

- Introduction to PIX/ASA Firewalls -

Voice Over IP (VoIP) Denial of Service (DoS)

A very short history of networking

Broadcom 10GbE High-Performance Adapters for Dell PowerEdge 12th Generation Servers

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

A Review on Quality of Service Architectures for Internet Network Service Provider (INSP)

The Case for Source Address Routing in Multihoming Sites

Towards Smart and Intelligent SDN Controller

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

BITAG Publishes Report: Differentiated Treatment of Internet Traffic

Survey on DDoS Attack Detection and Prevention in Cloud

Intrusion Detection: Game Theory, Stochastic Processes and Data Mining

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Workshop on Collaborative Security and Privacy Technologies

Enhancing Cisco Networks with Gigamon // White Paper

Cisco Network Foundation Protection Overview

Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation

Distributed Denial of Service Attack Tools

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Analyze & Classify Intrusions to Detect Selective Measures to Optimize Intrusions in Virtual Network

Intrusion Detection in AlienVault

Hyper-V Network Virtualization Gateways - Fundamental Building Blocks of the Private Cloud

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Cesario Di Sarno. Security Information and Event Management in Critical Infrastructures

Surviving DDoS. SANOG X 5 September ed.lewis@neustar.biz. 5 Sep '07, SANOG X ed.lewis@neustar.biz 1

DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER

Radware s Attack Mitigation Solution On-line Business Protection

TDC s perspective on DDoS threats

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

Information Technology Policy

Transcription:

MASSIF: A Highly Scalable SIEM Ricardo Jimenez-Peris Univ. Politecnica de Madrid (UPM) rjimenez@fi.upm.es DEMONS Workshop Berlin, April 25 th 2012

MASSIF in a Nutshell MASSIF aims at developing the next generation of SIEMs (Security Information and Event Management Systems). MASSIF event correlation is based on complex event processing technology. One of the main innovations in the project lies in that the event correlation engine is highly scalable (able to process millions of events per second) and elastic. A main application is security for cloud applications that are scalable and elastic and require scalable and elastic security technology.

Complex Event Processing: A Primer Complex event processing provides an in-memory version of database queries over streaming events. Each event stream can be considered as an infinite table. Queries over event streams are similar to database queries but adapted to the continuous nature of event streams. Event queries are based on the window sliding model in which the query process the events received in a temporal window, e.g., number of IP packets per IP destination address in the last hour.

Complex Event Processing: A Primer Sample security event schema: DevID: ID of the device generating the event. EvID: ID of the kind of event. SrcIP: Source IP address. DstIP: Destination IP address. Ts: Timestamp. Queries consist of interconnected operators that can be stateless or stateful.

Complex Event Processing: A Primer Event Transformation Example: Extracting attributes of interest from incoming events

Complex Event Processing: A Primer Event Filtering and Routing Example: Route Snort and CISCO Pix events, discard others

Complex Event Processing: A Primer Event Merging Example: Merge Snort events from two different instances

Complex Event Processing: A Primer Event Aggregation Example: Count open connections per minute for each server

Complex Event Processing: A Primer Event Correlation Example: Correlate Snort and Cisco Pix events with the same SrcIP

MASSIF Correlation Engine: Innovations Based on complex event processing (CEP). Main innovations: Highly scalable thanks to parallel-distributed event processing. Elastic thanks to an elastic provisioner and online reconfiguration protocols. Scalability enables to aggregate the resources of many nodes (100s) to enable the processing of millions of events per second. Elasticity enables to use solely the required resources to process the incoming load.

MASSIF Correlation Engine: Ease of Use Transparent parallelization of CEP queries. Syntactic and semantic transparency: Applications remain unchanged. The behavior remains unchanged. Automatic translation of security directives into CEP queries: OSSIM SIEM directives are translated directly into CEP queries. SIEM security experts do not need to learn CEP, they can still continue using the current SIEM directives.

Parallelization of CEP Queries

Elasticity and Load Balancing Elasticity: the system scale-up and down the number of nodes to the current workload avoiding over-provisioning and preventing under-provisioning. Dynamic load balancing: the system continuously balances the load among nodes. Non-intrusive online reconfiguration: the system reconfigures itself without disrupting ongoing processing and keeping the maximum throughput of the system.

Elastic Management

Other Security Application of the Scalable and Elastic CEP Technology Application to detection and mitigation of distributed denial of service attacks (DDoS). The scalability CEP parallel technology enables to characterize in an online manner the traffic from legitimate clients. During a DDoS attack the characterization of the traffic changes significantly. Thanks to the elasticity of the CEP technology, informed filtering of the incoming traffic can be performed based on the characterization of legitimate traffic.

Conclusions MASSIF is developing the next wave of SIEM technology. One of the main innovations lie in scalable and elastic CEP technology used for the event correlation engine. This security support is especially interesting in cloud platforms that are scalable and elastic and require scalable and elastic security as well. This CEP technology is also being applied to other security applications such as mitigation of DDoS attacks.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information