Enhancing Security Event Management Systems with Unsupervised Anomaly Detection

Markus Goldstein, Stefan Asanger, Matthias Reif, Andrew Hutchinson
Proceedings of the 2nd International Conference on Pattern Recognition Applications and Methods, Pages 530-538, Barcelona, Spain, SciTePress, INSTICC, 2/2013

Abstract:

Security Information and Event Management (SIEM) systems are today a key component of complex enterprise networks. They usually aggregate and correlate events from different machines and perform a rule-based analysis to detect threats. In this paper we present an enhancement of such systems which makes use of unsupervised anomaly detection algorithms without the need for any prior training of the system. For data acquisition, events are exported from an existing SIEM appliance, parsed, unified and preprocessed to fit the requirements of unsupervised anomaly detection algorithms. Six different algorithms are evaluated qualitatively and finally a global k-NN approach was selected for a practical deployment. The new system was able to detect misconfigurations and gave the security operation center team more insight about processes in the network.

Files:

  SIEM_Anomaly_Detection-Goldstein.pdf

BibTex:

@inproceedings{ GOLD2013,
	Title = {Enhancing Security Event Management Systems with Unsupervised Anomaly Detection},
	Author = {Markus Goldstein and Stefan Asanger and Matthias Reif and Andrew Hutchinson},
	BookTitle = {Proceedings of the 2nd International Conference on Pattern Recognition Applications and Methods},
	Month = {2},
	Year = {2013},
	Publisher = {SciTePress},
	Pages = {530-538},
	Organization = {INSTICC}
}

     
Last modified:: 30.08.2016