New Types of Alert Correlation for Security Information and Event Management Systems

Abstract

Current Security Information and Event Management systems (SIEMs) constitute the central platform of modern security operations centers. They gather events from multiple sensors (intrusion detection systems, anti-virus, firewalls, etc.), correlate these events, and deliver synthetic views of the alerts for threat handling and security reporting. However, as the number of security incidents, and thus the diversity of alerts received by SIEMs increases, the need for appropriate treatment of these alerts has become essential. Alert correlation has been proposed in order to alleviate this problem. Current alert correlation techniques provide a better description of the detected incident and a concise view of the generated alerts, reducing their volume and thus their processing time. Although such techniques support administrators in processing a huge number of alerts, they remain limited, since these solutions do not provide information about the attacker's behavior and the defender's capability in reacting to detected attacks. In this paper, we propose two novel alert correlation approaches. The first is based on policy enforcement and defender capability models; and the second is based on information security indicators. We therefore enrich the current state of the art in alert correlation techniques with complementary approaches.