Document Sample
security-alert Powered By Docstoc
					    Security Alert Management System
    for Internet Data Center Based on
    ISO/IEC 27001 Ontology

       Terry M. F. Tsang,               Dickson K. W. CHIU
      Thomas M.W. Yeung                    Senior Member, IEEE
                                        Dickson Computer Systems
        HK Baptist University                   Hong Kong,      

    Haiyang Hu, Hua Hu                         Yi ZHUANG

Hangzhou Dianzi University, China   Zhejiang Gongshang University, China
   Internet Data Centers (IDC) emerge as a major
    network service platform
   Intrusion Detection Systems (IDS) as a security
   Problem: large number of low-level alerts lacking of
    classification from large amount of artifacts
   Security Alert Management System (SAMS)
          Alert aggregation
          Ontology based on ISO/IEC 27001 requirements
          Provide a consolidated view of security incidents
          Different urgency classifications via an AMS
          Handled effectively in a timely manner

SAMS                                                           ICEBE 2010- 2
   ISO/IEC 2700x family of standards

SAMS                            ICEBE 2010- 3
                                Users         IDC Staff                          SAMS Architecture
                     Deskto         Laptop   PDA                                               IDC
                                                                 Web / WAP
    Internet                                                      Access
                                                                                                        Web Services
                                                                               XSLT Processor
                                                                                 Web Portal

                                               IDMEF Encoder
    Outgoing Alert Monitor                                       IDS 1
                                                                              Style Sheets
    Role Matching
                                                                 IDS 2                       Web Service Server
    Urgencies Strategy Definition
    Agent Monitor
                                                                 IDS n
                                                                                             Security Management
    Incoming Alert Monitor                                              Alert Input
                                                                                              Application Logics
    Alert Aggregation                                           Triggered Action

    Process Alert
                                                                                         Security Alert Management
                                                               DB / KB/                  System (SAMS)
Alert Management System (AMS)                                  Ontology
      SAMS                                                                                               ICEBE 2010- 4
   Intrusion Detection Message Exchange
   Format (IDMEF)

SAMS                               ICEBE 2010- 5
   Overview of ISO/IEC 27001 ontology

SAMS                           ICEBE 2010- 6
   Application of the ontology

SAMS                             ICEBE 2010- 7
   Alert Handling:
   Risk of Exposure (RoE) example

SAMS                            ICEBE 2010- 8
   Advantages of Using Ontology
         Traditional CMS                 Contributions of Ontology

Match-   Match-making often              Shared and agreed ontology
making   ineffective because of rigid    provides common, flexible, and
         definition of contents (e.g.,   extensible definitions of
         categories) predefined by       multimedia contents for match-
         service providers               making and subsequent
                                         business processes
         Difficult to specify unclear    Complicated use requirements
         types of multimedia content     can be decomposed into
         out of predefined categories    simple genres for elicitation of

SAMS                                                           ICEBE 2010- 9
   Advantages of Using Ontology (cont)
            Traditional CMS              Contributions of Ontology

Recom-      Often only possible within   Ontology helps elicit alternatives
mendation   the same category            for recommendation
            Pre-defined formulae for     Ontology help recommendation
            every type of multimedia     by evaluating offers in terms of
            contents are needed for      flexible overall scaling
Business    Simple data mining: mainly   Ontology help analyze the
analysis    depends on viewership of     viewership of related channels
            single channel / program     and programs to achieve a better
                                         marketing strategy
                                         (Segmentation of contents and

SAMS                                                          ICEBE 2010- 10
       Example security alerts and handling
                   Urgency       Action                  Handler                   Alert Type(*) Affected
Alerts             Level                                                                         Object
DoS Attack         Very Critical Trigger affected site   Iistracer,                S, R          Network
                                 and isolate it          Manager
Mass Admin         Critical      Trigger source IP and   Eventlog,                 S            Server
login attempts                   block it                Supervisor
Mass User login                  Trigger source IP and   Log Tracer                S            Site/
attempts                         block it                                                       Application
HTTP status 500                 Notify Clients           Alert Mailer              R            Site/
of site                                                                                         Application
Application pool   Urgent       Restart Application      Script,                   R            Site/
terminated                      Pool                     Admin.                                 Application
Failure of       Very Urgent    Restart the           Script,                      R            Site/
Service Telnet                  corresponding service Sr Admin.                                 Application
Ping large       Critical                                Network Tracer,           R            Server
response time or                                         Sr Admin
Slow response of Urgent         Check parameters of      PA Monitor,               R            Server
performance test                PA Monitor               Sr Admin
  SAMS                                                     (*) S = security, R = Reliability
                                                                                                ICEBE 2010- 11
   Urgency Strategy Table
   Urgency Level Action
   Normal              Default - notify the selected agent
   Urgent              Submit a second alert to the same agent,
                       notifying about the approaching deadline
   Very Urgent         Redirect the alert to another agent that has the best
                       response time
   Critical            Send the alert to several agents and accept the results of the
                       one that response first, notify an administrator
   Very Critical       Role Substitution: send to all staff with a superset of roles

              Urgent          t  T (default)
              Very Urgent     T  t  T  dt1
  U 002(t )  
              Critical        T  dt1  t  T  dt1  dt2
              Very Critical
                              T  dt1  dt2  t  T  dt1  dt2  dt3

SAMS                                                                     ICEBE 2010- 12
    Security Alert Management System (SAMS)
    Use ISO/IEC 27001 ontology for alert aggregation
    Alert Management System (AMS) module - through which
     appropriate IDC staff can be effectively notified for
     handling security alerts in a timely manner.
    Aims to improve the overall service reliability and quality
     of an IDC
    Handling activities and progresses are also recorded for
     performance evaluation and process improvement.

    SAMS                                             ICEBE 2010- 13
   Future Work
 Performance evaluation and process improvement
 Better integration of various risk measurement metrics
 Better prioritizing the alerts for proper allocation of
  security management resources
 Inter-IDC security alert exchange for better prevention of
  massive intrusion

 SAMS                                             ICEBE 2010- 14

Shared By: