Enhancing Security Event Management Systems with Unsupervised Anomaly Detection

Markus Goldstein, Stefan Asanger, Matthias Reif, Andrew Hutchison

2013

Abstract

Security Information and Event Management (SIEM) systems are today a key component of complex enterprise networks. They usually aggregate and correlate events from different machines and perform a rule-based analysis to detect threats. In this paper we present an enhancement of such systems which makes use of unsupervised anomaly detection algorithms without the need for any prior training of the system. For data acquisition, events are exported from an existing SIEM appliance, parsed, unified and preprocessed to fit the requirements of unsupervised anomaly detection algorithms. Six different algorithms are evaluated qualitatively and finally a global k-NN approach was selected for a practical deployment. The new system was able to detect misconfigurations and gave the security operation center team more insight about processes in the network.

Download


Paper Citation


in Harvard Style

Goldstein M., Asanger S., Reif M. and Hutchison A. (2013). Enhancing Security Event Management Systems with Unsupervised Anomaly Detection . In Proceedings of the 2nd International Conference on Pattern Recognition Applications and Methods - Volume 1: ICPRAM, ISBN 978-989-8565-41-9, pages 530-538. DOI: 10.5220/0004230105300538

in Bibtex Style

@conference{icpram13,
author={Markus Goldstein and Stefan Asanger and Matthias Reif and Andrew Hutchison},
title={Enhancing Security Event Management Systems with Unsupervised Anomaly Detection},
booktitle={Proceedings of the 2nd International Conference on Pattern Recognition Applications and Methods - Volume 1: ICPRAM,},
year={2013},
pages={530-538},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004230105300538},
isbn={978-989-8565-41-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Pattern Recognition Applications and Methods - Volume 1: ICPRAM,
TI - Enhancing Security Event Management Systems with Unsupervised Anomaly Detection
SN - 978-989-8565-41-9
AU - Goldstein M.
AU - Asanger S.
AU - Reif M.
AU - Hutchison A.
PY - 2013
SP - 530
EP - 538
DO - 10.5220/0004230105300538