Skip to Main content Skip to Navigation
Conference papers

Normalizing Security Events with a Hierarchical Knowledge Base

Abstract : An important technique for attack detection in complex company networks is the analysis of log data from various network components. As networks are growing, the number of produced log events increases dramatically, sometimes even to multiple billion events per day. The analysis of such big data highly relies on a full normalization of the log data in realtime. Until now, the important issue of full normalization of a large number of log events is only insufficiently handled by many software solutions and not well covered in existing research work. In this paper, we propose and evaluate multiple approaches for handling the normalization of a large number of typical logs better and more efficient. The main idea is to organize the normalization in multiple levels by using a hierarchical knowledge base (KB) of normalization rules. In the end, we achieve a performance gain of about 1000x with our presented approaches, in comparison to a naive approach typically used in existing normalization solutions. Considering this improvement, big log data can now be handled much faster and can be used to find and mitigate attacks in realtime.
Document type :
Conference papers
Complete list of metadata
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Friday, January 20, 2017 - 4:47:48 PM
Last modification on : Monday, February 11, 2019 - 4:22:53 PM
Long-term archiving on: : Friday, April 21, 2017 - 4:20:56 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



David Jaeger, Amir Azodi, Feng Cheng, Christoph Meinel. Normalizing Security Events with a Hierarchical Knowledge Base. 9th Workshop on Information Security Theory and Practice (WISTP), Aug 2015, Heraklion, Crete, Greece. pp.237-248, ⟨10.1007/978-3-319-24018-3_15⟩. ⟨hal-01442546⟩



Record views


Files downloads