Abstract
Source data for computer network security analysis
takes different forms (alerts, incidents, logs) and each
source may be voluminous. Due to the challenge this
presents for data management, this has often lead to
security “stovepipe” operations which focus primarily
on a small number of data sources for analysis with
little or no automated correlation between data
sources (although correlation may be done manually).
We seek to address this systemic problem. Yurcik and Abad had developed a unified correlated
logging system (UCLog) that automatically processes
alerts from different devices.
We take this work one step further by presenting the architecture and applications of UCLog+ which adds the new capability to correlate between alerts and incidents and raw data located on remote logs. UCLog+ can be used for forensic analysis including queries and report generation but more importantly it can be used for near-real-time situational awareness of attack patterns in progress. The system, implemented with open source tools, can also be a repository for secure information sharing by different organizations.
Collaboration
- William Yurcik, NCSA Storage Security and Survivability Group
- Cristina Abad, Moazzam Saleem, and Shyama Sridharan, UIUC
Publications
- William Yurcik, Cristina Abad, Ragib Hasan, Moazzam Saleem, and Shyama Sridharan, " UCLog+ : A Security Data Management System for Correlating Alerts, Incidents, and Raw data From Remote Logs ," ACM Computing Research Repository (CoRR) Technical Report cs.CR/0607111 , July 2006.