ZTE

ZTE Communications ›› 2014, Vol. 12 ›› Issue (3): 62-66.DOI: DOI:10.3939/j.issn.1673-5188.2014.03.008

• Research Paper • Previous Articles    

Event Normalization Through Dynamic Log Format Detection

Amir Azodi, David Jaeger, Feng Cheng, and Christoph Meinel   

  1. Hasso Plattner Institute, University of Potsdam, 14482 Potsdam, Germany
  • Received:2014-04-14 Online:2014-09-25 Published:2014-09-25
  • About author:Amir Azodi (amir.azodi@hpi.uni-potsdam.de) received his BSc degree in communication networks from Oxford Brookes University. He received his MSc degree in information security from University College London. He is currently a PhD student at the Department of Internet Technologies, Hasso Plattner Institute, Germany. His research interests include event normalization, intrusion detection, attack path detection, and visualization.

    David Jaeger (david.jaeger@hpi.uni-potsdam.de) is a PhD student in the IT Security Engineering Team, Hasso Plattner Institute, Germany. From 2006 to 2009, he studied IT systems engineering at the Hasso-Plattner-Institute. He received his BSc degree in 2009 and his MSc degree in 2012. His research interests include intrusion detection, especially attack monitoring and analytics, as well as normalization of security-related information.

    Feng Cheng (feng.cheng@hpi.uni-potsdam.de) is a senior researcher heading the IT Security Engineering Team at Hasso Plattner Institute in Germany. His research interests include network security, firewalls, IDS/IPS, security analytics, attack modeling and penetration testing, SOA and Cloud Security. At the Hasso Plattner Institute, he is involved in R&D and teaching activities revolving around new IT security technologies. He has been the principal investigator and project manager for many research projects on IT security, including the project“Physical Separation and its Lock-Keeper Implementation,”which was commercialized by Siemens Switzerland (now with Atos Origin) in 2005. He has published more than 30 papers in international conference proceedings and journals. He has been chair, co-chair, coordinator, program committee member, and reviewer for many international workshops and conferences. He received his BEng degree from Beijing University of Aeronautics and Astronautics; he received his MEng degree from Beijing University of Technology; and he received his PhD degree from the University of Potsdam, Germany.

    Christoph Meinel (christoph.meinel@hpi.uni-potsdam.de) is scientific director and CEO of the Hasso Plattner Institute, Germany. In 2006, Professor Meinel and Hasso Plattner hosted the 1st National IT Summit of German Chancellor Dr. Angela Merkel at HPI in Potsdam. Dr. Meinel is a member of Acatech (the German National Academy of Science and Engineering) and numerous scientific committees and supervisory boards. Dr. Meinel is a full professor (C4) of computer science and is department chair of internet technologies and systems at the Hasso Plattner Institute. He teaches courses in the Bachelor’s degree and Master’s degree programs in IT systems engineering and at the HPI School of Design Thinking. He has authored or coauthored nine books and four anthologies and has edited various conference proceedings. He studied mathematics and computer science at Humboldt University of Berlin from 1974 to 1979.

Event Normalization Through Dynamic Log Format Detection

Amir Azodi, David Jaeger, Feng Cheng, and Christoph Meinel   

  1. Hasso Plattner Institute, University of Potsdam, 14482 Potsdam, Germany
  • 作者简介:Amir Azodi (amir.azodi@hpi.uni-potsdam.de) received his BSc degree in communication networks from Oxford Brookes University. He received his MSc degree in information security from University College London. He is currently a PhD student at the Department of Internet Technologies, Hasso Plattner Institute, Germany. His research interests include event normalization, intrusion detection, attack path detection, and visualization.

    David Jaeger (david.jaeger@hpi.uni-potsdam.de) is a PhD student in the IT Security Engineering Team, Hasso Plattner Institute, Germany. From 2006 to 2009, he studied IT systems engineering at the Hasso-Plattner-Institute. He received his BSc degree in 2009 and his MSc degree in 2012. His research interests include intrusion detection, especially attack monitoring and analytics, as well as normalization of security-related information.

    Feng Cheng (feng.cheng@hpi.uni-potsdam.de) is a senior researcher heading the IT Security Engineering Team at Hasso Plattner Institute in Germany. His research interests include network security, firewalls, IDS/IPS, security analytics, attack modeling and penetration testing, SOA and Cloud Security. At the Hasso Plattner Institute, he is involved in R&D and teaching activities revolving around new IT security technologies. He has been the principal investigator and project manager for many research projects on IT security, including the project“Physical Separation and its Lock-Keeper Implementation,”which was commercialized by Siemens Switzerland (now with Atos Origin) in 2005. He has published more than 30 papers in international conference proceedings and journals. He has been chair, co-chair, coordinator, program committee member, and reviewer for many international workshops and conferences. He received his BEng degree from Beijing University of Aeronautics and Astronautics; he received his MEng degree from Beijing University of Technology; and he received his PhD degree from the University of Potsdam, Germany.

    Christoph Meinel (christoph.meinel@hpi.uni-potsdam.de) is scientific director and CEO of the Hasso Plattner Institute, Germany. In 2006, Professor Meinel and Hasso Plattner hosted the 1st National IT Summit of German Chancellor Dr. Angela Merkel at HPI in Potsdam. Dr. Meinel is a member of Acatech (the German National Academy of Science and Engineering) and numerous scientific committees and supervisory boards. Dr. Meinel is a full professor (C4) of computer science and is department chair of internet technologies and systems at the Hasso Plattner Institute. He teaches courses in the Bachelor’s degree and Master’s degree programs in IT systems engineering and at the HPI School of Design Thinking. He has authored or coauthored nine books and four anthologies and has edited various conference proceedings. He studied mathematics and computer science at Humboldt University of Berlin from 1974 to 1979.

PDF

Abstract: The analytical and monitoring capabilities of central event repositories, such as log servers and intrusion detection systems, are limited by the amount of structured information extracted from the events they receive. Diverse networks and applications log their events in many different formats, and this makes it difficult to identify the type of logs being received by the central repository. The way events are logged by IT systems is problematic for developers of host-based intrusiondetection systems (specifically, host-based systems), developers of security-information systems, and developers of eventmanagement systems. These problems preclude the development of more accurate, intrusive security solutions that obtain results from data included in the logs being processed. We propose a new method for dynamically normalizing events into a unified super-event that is loosely based on the Common Event Expression standard developed by Mitre Corporation. We explain how our solution can normalize seemingly unrelated events into a single, unified format.

Key words: event normalization, intrusion detection, event stream processing, knowledge base, security information and event management

摘要: The analytical and monitoring capabilities of central event repositories, such as log servers and intrusion detection systems, are limited by the amount of structured information extracted from the events they receive. Diverse networks and applications log their events in many different formats, and this makes it difficult to identify the type of logs being received by the central repository. The way events are logged by IT systems is problematic for developers of host-based intrusiondetection systems (specifically, host-based systems), developers of security-information systems, and developers of eventmanagement systems. These problems preclude the development of more accurate, intrusive security solutions that obtain results from data included in the logs being processed. We propose a new method for dynamically normalizing events into a unified super-event that is loosely based on the Common Event Expression standard developed by Mitre Corporation. We explain how our solution can normalize seemingly unrelated events into a single, unified format.

关键词: event normalization, intrusion detection, event stream processing, knowledge base, security information and event management