Разработка системы сбора, обработки, анализа, идентификации корреляции событий информационной инфраструктуры предприятия

Abstract

A system for collecting, processing, analyzing, and identifying correlation of events of the enterprise information infrastructure known as SIEM, is proposed for consideration. With the development of corporate information systems, the number of threats related to the violation of accessibility, integrity, and confidentiality in them has increased tenfold. Ensuring information security is a complex task of responding, investigating, and eliminating the consequences of information security incidents (IS). The paper proposes a formalized description of the data that the proposed system uses. In addition, the general architecture and algorithm of functioning are highlighted. Special attention is paid to a detailed description of one of the main parts of the system (data collection agents). The information collection subsystem is characterized by the type of information collected: data on the operation of the application, host, and network or on inter-network interactions. A subsystem of this class accumulates heterogeneous data on a system or network to further analyze them for signs of computer attacks. To collect data, special modules -sensors and agents -are used, Tthe former are usually used to monitor network activity, and the latter are used to monitor and analyze actions in a particular system. The practical application of the improved model is possible both in the framework of research work and in automated information security control systems. The results obtained will be used in the further design of a complex system of continuous monitoring of the enterprise infrastructure. It is planned to consider the data storage subsystem. Subsequent work on the topic will allow us to specify the architecture and algorithm of functioning.