A Comprehensive Architecture for Correlation Analysis to Improve the Performance of Security Operation Center
With popularity of information system there is increased in various types of threads. Security Operations Center (SOC) is a central unit that monitor and control the organization traffic. The main function of the SOC is to provide an effective event detec
- PDF / 835,198 Bytes
- 12 Pages / 439.37 x 666.142 pts Page_size
- 98 Downloads / 196 Views
Abstract With popularity of information system there is increased in various types of threads. Security Operations Center (SOC) is a central unit that monitor and control the organization traffic. The main function of the SOC is to provide an effective event detection by collecting log files information from different network devices (i.e. firewall, IDS, router etc.). The correlation analysis is known to be core and central part of SOC in which it correlate the different security events from more than one network security devices. In this paper, we propose a comprehensive architecture for correlation analysis that minimize the processing time of log les and gives effective way to implement mathematical model for correlation using a Venn diagram approach. Keywords SEC
⋅
SOC
⋅
Event correlation
1 Introduction With increasing in Internet connectivity and popularity, there are increase in different malicious attacks of various types in very less time. Hence, to protect our system from different kind of attacks we deployed various network security devices D. Ambawade (✉) Department of Electronics & Telecommunication, Sardar Patel Institute of Technology, Mumbai 400058, India e-mail: [email protected] P.M. Kedar Department of Computer Engineering, Sardar Patel Institute of Technology, Mumbai 400058, India e-mail: [email protected] J.W. Bakal Department of Computer Engineering, Shivajirao S. Jondhale College of Engineering, Mumbai 421204, India e-mail: [email protected] © Springer Nature Singapore Pte Ltd. 2017 H.S. Saini et al. (eds.), Innovations in Computer Science and Engineering, Lecture Notes in Networks and Systems 8, DOI 10.1007/978-981-10-3818-1_23
205
206
D. Ambawade et al.
(such as IDS, firewall, router, reverse proxy server etc.). Each device having its own limitations and due to communication gap between all these network devices, the effectiveness of intrusion detection system degraded. Hence to overcome this problem the concept called Security Operation Center comes into picture. SOC is the centralized security infrastructure in which it collect log files and event information from different security devices and generate a common alarm detection system for some kind of malicious security event [1]. Correlation engine is the core part of the SOC in which is basically looking for some kind of correlation between all these security devices, but logically every device has its own log files and having its own rules for some kind of security attack and it will generate the alarm or report according to that rule [2]. Hence each network device will generate report and alarm for the same packet and it will increase the total number of reports and alarms. This will result a degraded the performance of overall correlation engine and SOC. The paper begins with study of related work related to Security Operation Center and current mathematical model for correlation analysis [3]. In this paper, we proposed a comprehensive model for correlation analysis that collect log files, normalize log files and then with th
Data Loading...
