Abstract
Organizations deploy security information and event management (SIEM) systems for centralized management of security events. The real-time security monitoring capability of the SIEM depends on the correlation process where events data are matched against the security rules. Most SIEM systems use general purpose languages to define security rules. Creating new rules in general purpose languages require excellent programming skills in the proprietary language and intimate knowledge of events. This paper introduces a high-level domain-specific language (HDSL) which simplifies rule creation for the SIEM system. We formally specify the HDSL with extended Backus–Naur form grammar in another tool for language recognition according to the model driven engineering approach. In our implementation framework, the rules defined in the HDSL are converted in the standard event processing language. For evaluation purpose, the converted security rules are tested on the service real-time data security analytics. The results indicate that the rules are converted accurately and generate alarms when specific attacks are detected. For checking correctness of the HDSL, formal verification is carried out using satisfiability modulo theory and Z3 solver. The results are evaluated under diverse attack scenarios, which reveal that HDSL is functioning correctly. The HDSL enhances the SIEM correlation capabilities by providing a tranquil approach for writing the correlation rules.
Similar content being viewed by others
References
Katsaris, D.: Security information and event management systems: Benefits and Inefficiencies, Masters thesis, U. Piraeus, January, 2014
Swift, D.: A practical application of SIM/SEM/SIEM automating threat identification. 23 Dec 2006
Potts, G.: OSSIM user guide the book of OSSIM Open Source Software Image Map OSSIM, Document version 1.1 July 10, 2006
OSSEC community. http://www.ossec.net/files/ossec-hids-2.0.tar.gz. Accessed 2015
Prelude community. Prelude documentation. https://dev.prelude-ids.com/. Accessed 2015
OpenNMS Group and the Order of the Green Polo. Opennms website. http://www.opennms.org. Accessed 2015
D. Community, Drools website. http://www.jboss.org/drools/. Accessed 2015
Boley, H., Tabet, S., Wagner, G.: Design rationale for ruleML: a markup language for semantic web rules. In: SWWS, vol. 1, pp. 381–401 (2001)
Di Sarno, C., Formicola, V., Sicuranza, M., Paragliola, G.: Addressing security issues of electronic health record systems through enhanced siem technology. In: Eighth International Conference on Availability, Reliability and Security (ARES), IEEE, pp. 646–653 (2013)
Sandoval, R.: The effects of SIEM technology in monitoring employee computer use, information technology security (ITSec) (2014)
Kotenko, I., Chechulin, A. Common framework for attack modeling and security evaluation in SIEM systems. In: 2012 IEEE International Conference on Green Computing and Communications (GreenCom), IEEE (2012)
Vianello, V., et al. A scalable SIEM correlation engine and its application to the olympic games IT infrastructure. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), IEEE (2013)
Cheng, F., et al. Security Event Correlation Supported by Multi-Core Architecture. In: International Conference on IT Convergence and Security (ICITCS). IEEE (2013)
Montesino, Raydel, Fenz, Stefan, Baluja, Walter: SIEM-based framework for security controls automation. Inf. Manag. Comput. Secur. 20(4), 248–263 (2012)
Patel, V.: A practical solution to improve cyber security on a global scale. Third Worldwide. IEEE, Cybersecurity Summit (WCS) (2012)
Azodi, A., et al. A new approach to building a multi-tier direct access knowledgebase for IDS/SIEM Systems. In: IEEE 11th International Conference on Dependable, Autonomic and Secure Computing (DASC), IEEE (2013)
Hansen, S.E., Atkins, E.T.: Automated system monitoring and notification with swatch. LISA 93, 145–152 (1993)
Thompson, K:. An introduction to logsurfer. SysAdmin magazine. http://www.crypt.gen.nz/papers/logsurfer.html (2004)
Simple-evcorr.sourceforge.net, ’SEC—open source and platform independent event correlation tool’, 2015. http://simple-evcorr.sourceforge.net/. Accessed 2015
Espertech.com, ’EsperTech-Esper’, 2015. http://www.espertech.com/esper/index_redirected.php. Accessed 2015
Prieto, E., et al.: MASSIF: a promising solution to enhance olympic games IT security. Global Security, Safety and Sustainability & e-Democracy. Springer, Berlin, pp. 139–147 (2012)
Anicic, D., et al.: Web Reasoning and Rule Systems. A rule-based language for complex event processing and reasoning, pp. 42–57. Springer, Berlin (2010)
Anicic, D., et al.: EP-SPARQL: a unified language for event processing and stream reasoning. In: Proceedings of the 20th International Conference on World Wide Web. ACM (2011)
Saleem, M., Jaafar, J., Hassan, M.: A domain-specific language for modelling security objectives in a business process models of SOA applications. In: AISS, vol. 4.1, pp. 353–362
Atkins, D., Ball, T., Bruns, G., Cox, K.: Mawl: a domain-specific language for form-based services. IEEE Trans. Softw. Eng. 25(3), 334–346 (1999)
Websec.ca, Panoptic—a tool to exploit path traversal vulnerabilities. http://websec.ca/blog/view/panoptic (2015). Accessed 2015
Bharadwaj, R.: SOLj: a domain-speci_c language (DSL) for secure service-based systems. In: Proceedings of the 11th IEEE International Workshop on Future Trends of Distributed Computing Systems (FTDCS’07), vol. 4, pp. 0-7695-2810 (2007)
Kotenko, I, Polubelova, O, Saenko, I: The Ontological Approach for SIEM Data Repository Implementation Laboratory of Computer Security Problems. In: IEEE International Conference on Green Computing and Communications, Conference on Internet of Things, and Conference on Cyber, Physical and Social Computing (2012)
Nrl.sourceforge.net, NRL: The Natural Rule Language. http://nrl.sourceforge.net/ (2015). Accessed 31 May 2015
Malik, S.U.R., Khan, S.U.: Formal methods in LARGE-SCALE computing systems. ITNOW 55(2), 52–53 (2013)
Malik, S.U.R., Khan, S.U., Srinivasan, S.K.: Modeling and analysis of state of-the-art VM-based cloud management platforms. IEEE Trans. Cloud Comput. 1(1), 1 (2013)
SMT-Lib. http://smt-lib.org/. Accessed 2015
Barrett, C.: The SMT-LIB Standard Version 2.0, Release. 9 Sept 2012
Jee, C.: Top 10 software failures of 2014, Computerworld UK, 2015. http://www.computerworlduk.com/galleries/infrastructure/top-10-software-failures-2014-3599528/. Accessed 2015
de Moura, L.: Z3: an efficient SMT solver. In: Proc. Theory and Practice of Software, 14th Intl Conf. Tools and Algorithms for the Construction and Analysis of Systems (TACAS 08) (2008)
Triam, R.D.S.A. https://demo.triam.com.pk/index.php/module/user/security/login. Accessed 2015
Parr, T.: The Definitive ANTLR Reference. Pragmatic Bookshelf, Raleigh (2007)
Karlsch, M: A model driven framework for domain specific languages demonstrated on a test automation language, Masters Thesis, March, 2007
Kleppe, A., Warmer, J., Bast, W.: MDA Explained. The Model Driven Architecture: Practice and Promise. Addison-Wesley, Boston (2003)
Bentley, J.L., McIlroy, M.D.: Engineering a sort function. Software 23(11), 1249 (1993)
Jones, C.: Programming languages table, release 8.2, Software Productivity Research, Burlington (1996)
Mernik, M., Heering, J., Sloane, A.M.: When and how to develop domain-specific languages. ACM Comput. Surv. 37(4), 316–344 (2005)
Prieto-Diaz, R.: Domain analysis: an introduction. SIGSOFT Softw. Eng. Notes 15(2), 4754 (1990)
Eclipse Foundation, Eclipse.org, 2015. https://eclipse.org/. Accessed 2015
ASERG. www.aserg.com.pk. Accessed 2015
Biere, A., Cimatti, A., Clarke, E.M., Strichman, O., Zhu, Y.: Advances in Computers. Bounded model checking, vol. 58, pp. 118–149. Academic Press, London (2003)
Z3. https://github.com/z3prover/z3/wiki/Documentation. Accessed 2015
Barrett, C.: Satisfiability Modulo Theories in Handbook of Satisfiability, vol. 185, pp. 825–885. IOS Press, Amsterdam (2009)
Acknowledgements
This work has been possible by the funding provided by ICT R&D under the CDACDEA project. The RDSA service as a SIEM has been launched through the collaboration of Trillium Information Security Systems [36] and the Applied Security Engineering Research Group (ASERG) lab [45] at COMSATS Institute of Information Technology, Islamabad, Pakistan. The authors also extend their sincere appreciations to the Deanship of Scientific Research at King Saud University for its funding this Prolific Research Group (PRG-1436-16).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Nazir, A., Alam, M., Malik, S.U.R. et al. A high-level domain-specific language for SIEM (design, development and formal verification). Cluster Comput 20, 2423–2437 (2017). https://doi.org/10.1007/s10586-017-0819-2
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-017-0819-2