Abstract
As cyber-attacks increase in frequency and sophistication, the need for intelligent automated defenses increases, but the quality of software logs available for this purpose is questionable. To address this problem a whole new approach to logging is proposed in this paper, one called semantic events. The approach developed out of an empirical, qualitative investigation of a range of logs and existing standards, and is motivated by the desire to normalize events in order to conduct broad cross-log analyses to detect security issues. A key finding is that logs are often hard to understand. An analysis of the causes of this led to the development of a linguistics-inspired event model and a method to interpret and represent logs using a kind of controlled natural language, the essence of the semantic events. They are convertible to an ontology that can be loaded into Protégé to perform reasoning and consistency checking. Crucially, they are stored in a knowledge base for re-use across logs to enable broad analyses.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Oliner, A., Stearley, J.: What supercomputers say: a study of five system logs. In: 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2007, Edinburgh, pp. 575–584 (2007)
List-Log-Format-2.0. http://help.sap.com/saphelp_nw73ehp1/helpdata/en/53/82dae7c2f5439a8afd1b0ee95c2e45/content.htm?frameset=/en/47/e11b700b713c86e10000000a42189c/frameset.htm
Kent, K., Souppaya, M.: Guide to Computer Security Log Management, NIST Special Publication 800-92, p. 5 (2006)
Uschold, M., Gruninger, M., et al.: Ontologies: principles, methods and applications. Knowl. Eng. Rev. 11(2), 93–136 (1996)
Bonial, C., Corvey, W., Palmer, M., Petukhova, V., Bunt, H.: A hierarchical unification of LIRICS and VerbNet semantic roles. In: Proceedings of the ICSC Workshop on Semantic Annotation for Computational Linguistic Resources (SACL-ICSC 2011), September 2011
Protégé. http://protege.stanford.edu/
Tognini-Bonelli, E.: Working with corpora: issues and insights. In: Coffin, C., et al. (eds.) Applying English Grammar. The Open University, Arnold (2004)
Kuhn, T.: A survey and classification of controlled natural languages. Comput. Linguist. 40(1), 121–170 (2014)
Palo Alto Networks: Common Event Format Configuration Guide, May (2014). https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-documentation/cef/pan-os-60-CEF-guide.pdf
Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Hierarchical object log format for normalisation of security events. In: Information Assurance and Security (IAS 2013), pp. 25–30, December 2013
Feiertag, R., et al.: A Common Intrusion Specification Language (CISL). DARPA, 6 May 1999. http://gost.isi.edu/cidf/drafts/language19990506.txt
The CEE Board: Common Event Expression. MITRE (2008). https://cee.mitre.org/docs/Common_Event_Expression_White_Paper_June_2008.pdf
McGuire, G., Reid, E.: The State of Security Automation Standards - 2011: A Survey. MITRE (2011). http://www.mitre.org/sites/default/files/pdf/11_3822.pdf
DMTF: Cloud Audit Data Federation - OpenStack Profile: (CADF-OpenStack) A CADF Representation for OpenStack, version 1.1.0 (2015). http://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.1.0.pdf
IBM: IBM Qradar Security Intelligence Platform 7.2.5. http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.5/com.ibm.qradar.doc_7.2.5/c_qradar_adm_event_categories.html
Novell: Sentinel Event Schema. https://www.novell.com/developer/plugin-sdk/event_schema.html
Acknowledgment
This work was made possible by the encouragement and support of highly valued colleagues.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Thomas, S.M. (2018). Semantic Events. In: Bi, Y., Kapoor, S., Bhatia, R. (eds) Proceedings of SAI Intelligent Systems Conference (IntelliSys) 2016. IntelliSys 2016. Lecture Notes in Networks and Systems, vol 16. Springer, Cham. https://doi.org/10.1007/978-3-319-56991-8_56
Download citation
DOI: https://doi.org/10.1007/978-3-319-56991-8_56
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56990-1
Online ISBN: 978-3-319-56991-8
eBook Packages: EngineeringEngineering (R0)