Improving SIEM capabilities through an enhanced probe for encrypted Skype traffic detection

Abstract

Nowadays, the Security Information and Event Management (SIEM) systems take on great relevance in handling security issues for critical infrastructures as Internet Service Providers. Basically, a SIEM has two main functions: ((i) the collection and the aggregation of log data and security information from disparate network devices (routers, firewalls, intrusion detection systems, ad hoc probes and others) and ((ii) the analysis of the gathered data by implementing a set of correlation rules aimed at detecting potential suspicious events as the presence of encrypted real-time traffic. In the present work, the authors propose an enhanced implementation of a SIEM where a particular focus is given to the detection of encrypted Skype traffic by using an ad-hoc developed enhanced probe (ESkyPRO) conveniently governed by the SIEM itself. Such enhanced probe, able to interact with an agent counterpart deployed into the SIEM platform, is designed by exploiting some machine learning concepts. The main purpose of the proposed ad-hoc SIEM is to correlate the information received by ESkyPRO and other types of data obtained by an Intrusion Detection System (IDS) probe in order to make the encrypted Skype traffic detection as accurate as possible.