Revolutionizing SIEM Security: An Innovative Correlation Engine Design for Multi-Layered Attack Detection-Reference-Cited by-同舟云学术

Revolutionizing SIEM Security: An Innovative Correlation Engine Design for Multi-Layered Attack Detection

Published:2024-07-28 Issue:15 Volume:24 Page:4901
ISSN:1424-8220
Container-title:Sensors
language:en
Short-container-title:Sensors

Author:

Sheeraz Muhammad¹^ORCID,Durad Muhammad Hanif¹^ORCID,Paracha Muhammad Arsalan¹^ORCID,Mohsin Syed Muhammad²³^ORCID,Kazmi Sadia Nishat⁴^ORCID,Maple Carsten⁵^ORCID

Affiliation:

1. Department of Computer and Information Sciences, Pakistan Institute of Engineering and Applied Sciences, Islamabad 45650, Pakistan

2. Department of Computer Science, COMSATS University Islamabad, Islamabad 45550, Pakistan

3. College of Intellectual Novitiates (COIN), Virtual University of Pakistan, Lahore 55150, Pakistan

4. Faculty of Automatic Control, Electronics and Computer Science, Silesian University of Technology, 44-100 Gliwice, Poland

5. Cyber Security Centre, University of Warwick, Coventry CV4 7AL, UK

Abstract

Advances in connectivity, communication, computation, and algorithms are driving a revolution that will bring economic and social benefits through smart technologies of the Industry 4.0 era. At the same time, attackers are targeting this expanded cyberspace to exploit it. Therefore, many cyberattacks are reported each year at an increasing rate. Traditional security devices such as firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), anti-viruses, and the like, often cannot detect sophisticated cyberattacks. The security information and event management (SIEM) system has proven to be a very effective security tool for detecting and mitigating such cyberattacks. A SIEM system provides a holistic view of the security status of a corporate network by analyzing log data from various network devices. The correlation engine is the most important module of the SIEM system. In this study, we propose the optimized correlator (OC), a novel correlation engine that replaces the traditional regex matching sub-module with a novel high-performance multiple regex matching library called “Hyperscan” for parallel log data scanning to improve the performance of the SIEM system. Log files of 102 MB, 256 MB, 512 MB, and 1024 MB, generated from log data received from various devices in the network, are input into the OC and simple event correlator (SEC) for applying correlation rules. The results indicate that OC is 21 times faster than SEC in real-time response and 2.5 times more efficient in execution time. Furthermore, OC can detect multi-layered attacks successfully.

Funder

IT&T Endowment Fund

PIEAS

Higher Education Commission

National Center for Cyber Security

Cyber Security Centre, University of Warwick, United Kingdom

Publisher

MDPI AG

Link

https://www.mdpi.com/1424-8220/24/15/4901/pdf

Reference60 articles.

1. The impact of internet on entrepreneurship;Tan;Int. Rev. Econ. Financ.,2022

2. Industry 4.0, digitization, and opportunities for sustainability;Ghobakhloo;J. Clean. Prod.,2020

3. Key ingredients for evaluating Industry 4.0 readiness for organizations: A literature review;Sony;Benchmarking Int. J.,2020

4. Alqahtani, A., and Sheldon, F.T. (2022). A survey of crypto ransomware attack detection methodologies: An evolving outlook. Sensors, 22.

5. Chowdhury, A. (2016). Recent cyber security attacks and their mitigation approaches—An overview. Applications and Techniques in Information Security: 6th International Conference, ATIS 2016, Cairns, QLD, Australia, 26–28 October 2016, Springer. Proceedings 7.