Skip to main content
SpringerLink
Log in

A high-level domain-specific language for SIEM (design, development and formal verification)

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

Organizations deploy security information and event management (SIEM) systems for centralized management of security events. The real-time security monitoring capability of the SIEM depends on the correlation process where events data are matched against the security rules. Most SIEM systems use general purpose languages to define security rules. Creating new rules in general purpose languages require excellent programming skills in the proprietary language and intimate knowledge of events. This paper introduces a high-level domain-specific language (HDSL) which simplifies rule creation for the SIEM system. We formally specify the HDSL with extended Backus–Naur form grammar in another tool for language recognition according to the model driven engineering approach. In our implementation framework, the rules defined in the HDSL are converted in the standard event processing language. For evaluation purpose, the converted security rules are tested on the service real-time data security analytics. The results indicate that the rules are converted accurately and generate alarms when specific attacks are detected. For checking correctness of the HDSL, formal verification is carried out using satisfiability modulo theory and Z3 solver. The results are evaluated under diverse attack scenarios, which reveal that HDSL is functioning correctly. The HDSL enhances the SIEM correlation capabilities by providing a tranquil approach for writing the correlation rules.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Katsaris, D.: Security information and event management systems: Benefits and Inefficiencies, Masters thesis, U. Piraeus, January, 2014

  2. Swift, D.: A practical application of SIM/SEM/SIEM automating threat identification. 23 Dec 2006

  3. Potts, G.: OSSIM user guide the book of OSSIM Open Source Software Image Map OSSIM, Document version 1.1 July 10, 2006

  4. OSSEC community. http://www.ossec.net/files/ossec-hids-2.0.tar.gz. Accessed 2015

  5. Prelude community. Prelude documentation. https://dev.prelude-ids.com/. Accessed 2015

  6. OpenNMS Group and the Order of the Green Polo. Opennms website. http://www.opennms.org. Accessed 2015

  7. D. Community, Drools website. http://www.jboss.org/drools/. Accessed 2015

  8. Boley, H., Tabet, S., Wagner, G.: Design rationale for ruleML: a markup language for semantic web rules. In: SWWS, vol. 1, pp. 381–401 (2001)

  9. Di Sarno, C., Formicola, V., Sicuranza, M., Paragliola, G.: Addressing security issues of electronic health record systems through enhanced siem technology. In: Eighth International Conference on Availability, Reliability and Security (ARES), IEEE, pp. 646–653 (2013)

  10. Sandoval, R.: The effects of SIEM technology in monitoring employee computer use, information technology security (ITSec) (2014)

  11. Kotenko, I., Chechulin, A. Common framework for attack modeling and security evaluation in SIEM systems. In: 2012 IEEE International Conference on Green Computing and Communications (GreenCom), IEEE (2012)

  12. Vianello, V., et al. A scalable SIEM correlation engine and its application to the olympic games IT infrastructure. In: 2013 Eighth International Conference on Availability, Reliability and Security (ARES), IEEE (2013)

  13. Cheng, F., et al. Security Event Correlation Supported by Multi-Core Architecture. In: International Conference on IT Convergence and Security (ICITCS). IEEE (2013)

  14. Montesino, Raydel, Fenz, Stefan, Baluja, Walter: SIEM-based framework for security controls automation. Inf. Manag. Comput. Secur. 20(4), 248–263 (2012)

    Article  Google Scholar 

  15. Patel, V.: A practical solution to improve cyber security on a global scale. Third Worldwide. IEEE, Cybersecurity Summit (WCS) (2012)

  16. Azodi, A., et al. A new approach to building a multi-tier direct access knowledgebase for IDS/SIEM Systems. In: IEEE 11th International Conference on Dependable, Autonomic and Secure Computing (DASC), IEEE (2013)

  17. Hansen, S.E., Atkins, E.T.: Automated system monitoring and notification with swatch. LISA 93, 145–152 (1993)

    Google Scholar 

  18. Thompson, K:. An introduction to logsurfer. SysAdmin magazine. http://www.crypt.gen.nz/papers/logsurfer.html (2004)

  19. Simple-evcorr.sourceforge.net, ’SEC—open source and platform independent event correlation tool’, 2015. http://simple-evcorr.sourceforge.net/. Accessed 2015

  20. Espertech.com, ’EsperTech-Esper’, 2015. http://www.espertech.com/esper/index_redirected.php. Accessed 2015

  21. Prieto, E., et al.: MASSIF: a promising solution to enhance olympic games IT security. Global Security, Safety and Sustainability & e-Democracy. Springer, Berlin, pp. 139–147 (2012)

  22. Anicic, D., et al.: Web Reasoning and Rule Systems. A rule-based language for complex event processing and reasoning, pp. 42–57. Springer, Berlin (2010)

    Book  Google Scholar 

  23. Anicic, D., et al.: EP-SPARQL: a unified language for event processing and stream reasoning. In: Proceedings of the 20th International Conference on World Wide Web. ACM (2011)

  24. Saleem, M., Jaafar, J., Hassan, M.: A domain-specific language for modelling security objectives in a business process models of SOA applications. In: AISS, vol. 4.1, pp. 353–362

  25. Atkins, D., Ball, T., Bruns, G., Cox, K.: Mawl: a domain-specific language for form-based services. IEEE Trans. Softw. Eng. 25(3), 334–346 (1999)

    Article  Google Scholar 

  26. Websec.ca, Panoptic—a tool to exploit path traversal vulnerabilities. http://websec.ca/blog/view/panoptic (2015). Accessed 2015

  27. Bharadwaj, R.: SOLj: a domain-speci_c language (DSL) for secure service-based systems. In: Proceedings of the 11th IEEE International Workshop on Future Trends of Distributed Computing Systems (FTDCS’07), vol. 4, pp. 0-7695-2810 (2007)

  28. Kotenko, I, Polubelova, O, Saenko, I: The Ontological Approach for SIEM Data Repository Implementation Laboratory of Computer Security Problems. In: IEEE International Conference on Green Computing and Communications, Conference on Internet of Things, and Conference on Cyber, Physical and Social Computing (2012)

  29. Nrl.sourceforge.net, NRL: The Natural Rule Language. http://nrl.sourceforge.net/ (2015). Accessed 31 May 2015

  30. Malik, S.U.R., Khan, S.U.: Formal methods in LARGE-SCALE computing systems. ITNOW 55(2), 52–53 (2013)

    Article  Google Scholar 

  31. Malik, S.U.R., Khan, S.U., Srinivasan, S.K.: Modeling and analysis of state of-the-art VM-based cloud management platforms. IEEE Trans. Cloud Comput. 1(1), 1 (2013)

  32. SMT-Lib. http://smt-lib.org/. Accessed 2015

  33. Barrett, C.: The SMT-LIB Standard Version 2.0, Release. 9 Sept 2012

  34. Jee, C.: Top 10 software failures of 2014, Computerworld UK, 2015. http://www.computerworlduk.com/galleries/infrastructure/top-10-software-failures-2014-3599528/. Accessed 2015

  35. de Moura, L.: Z3: an efficient SMT solver. In: Proc. Theory and Practice of Software, 14th Intl Conf. Tools and Algorithms for the Construction and Analysis of Systems (TACAS 08) (2008)

  36. Triam, R.D.S.A. https://demo.triam.com.pk/index.php/module/user/security/login. Accessed 2015

  37. Parr, T.: The Definitive ANTLR Reference. Pragmatic Bookshelf, Raleigh (2007)

    Google Scholar 

  38. Karlsch, M: A model driven framework for domain specific languages demonstrated on a test automation language, Masters Thesis, March, 2007

  39. Kleppe, A., Warmer, J., Bast, W.: MDA Explained. The Model Driven Architecture: Practice and Promise. Addison-Wesley, Boston (2003)

    Google Scholar 

  40. Bentley, J.L., McIlroy, M.D.: Engineering a sort function. Software 23(11), 1249 (1993)

    Google Scholar 

  41. Jones, C.: Programming languages table, release 8.2, Software Productivity Research, Burlington (1996)

  42. Mernik, M., Heering, J., Sloane, A.M.: When and how to develop domain-specific languages. ACM Comput. Surv. 37(4), 316–344 (2005)

    Article  Google Scholar 

  43. Prieto-Diaz, R.: Domain analysis: an introduction. SIGSOFT Softw. Eng. Notes 15(2), 4754 (1990)

    Article  Google Scholar 

  44. Eclipse Foundation, Eclipse.org, 2015. https://eclipse.org/. Accessed 2015

  45. ASERG. www.aserg.com.pk. Accessed 2015

  46. Biere, A., Cimatti, A., Clarke, E.M., Strichman, O., Zhu, Y.: Advances in Computers. Bounded model checking, vol. 58, pp. 118–149. Academic Press, London (2003)

    Google Scholar 

  47. Z3. https://github.com/z3prover/z3/wiki/Documentation. Accessed 2015

  48. Barrett, C.: Satisfiability Modulo Theories in Handbook of Satisfiability, vol. 185, pp. 825–885. IOS Press, Amsterdam (2009)

    Google Scholar 

Download references

Acknowledgements

This work has been possible by the funding provided by ICT R&D under the CDACDEA project. The RDSA service as a SIEM has been launched through the collaboration of Trillium Information Security Systems [36] and the Applied Security Engineering Research Group (ASERG) lab [45] at COMSATS Institute of Information Technology, Islamabad, Pakistan. The authors also extend their sincere appreciations to the Deanship of Scientific Research at King Saud University for its funding this Prolific Research Group (PRG-1436-16).

Author information

Authors and Affiliations

  1. Applied Security Engineering Research Group, Department of Computer Science, COMSATS Institute of Information Technology Islamabad, Islamabad, Pakistan

    Anam Nazir, Masoom Alam, Saif U. R. Malik, Tanveer Khan & Abid Khan

  2. Department of Computer Science, COMSATS Institute of Information Technology, Islamabad, Pakistan

    Adnan Akhunzada

  3. Faculty of Computer Science Department, COMSATS Institute of Information Technology Attock, Attock, Pakistan

    Muhammad Nadeem Cheema

  4. Center of Excellence in Information Assurance (CoEIA), King Saud University, Riyadh, Saudi Arabia

    Muhammad Khurram Khan

  5. Deakin University Australia, Geelong, VIC, Australia

    Yang Ziang

Authors
  1. Anam Nazir
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Masoom Alam
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Saif U. R. Malik
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Adnan Akhunzada
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Muhammad Nadeem Cheema
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Muhammad Khurram Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Yang Ziang
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Tanveer Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Abid Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Masoom Alam.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Nazir, A., Alam, M., Malik, S.U.R. et al. A high-level domain-specific language for SIEM (design, development and formal verification). Cluster Comput 20, 2423–2437 (2017). https://doi.org/10.1007/s10586-017-0819-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-017-0819-2

Keywords

Search

Navigation