2017 IEEE Conference on Communications and Network Security (CNS): IEEE CNS 2017 - Posters

Toward the SIEM Architecture

for Cloud-based Security Services
Jong-Hoon Lee Young Soo Kim Jong Hyun Kim Ik Kyun Kim
Information Security Information Security Information Security Information Security
Research Division, Research Division, Research Division, Research Division,
ETRI ETRI ETRI ETRI
Daejeon, Korea Daejeon, Korea Daejeon, Korea Daejeon, Korea
[email protected] [email protected] [email protected] [email protected]

Abstract—Cloud Computing represents one of the most but also to achieve relevant correlation analytics for
significant shifts in information technology and it enables to recognizing cyber threats. To do so, we referenced the
provide cloud-based security service such as Security-as-a- OpenSoC [3] and complemented to our SIEM architecture for
service (SECaaS). Improving of the cloud computing providing the various analysis model and data enrichment. In
technologies, the traditional SIEM paradigm is able to shift to addition, because the main goal of the SIEM is to provide
cloud-based security services. In this paper, we propose the valuable security information provisioning and to perform a
SIEM architecture that can be deployed to the SECaaS platform large-scaled data correlation for detecting cyber threats, we
which we have been developing for analyzing and recognizing apply the Big Data platform which is composed of the
intelligent cyber-threat based on virtualization technologies.
distributed units based on Kafka, Spark, Elasticsearch and
Keywords— SIEM, Security Information and Event
MongoDB [4, 5].
Management, SECaaS, Security-as-a-service, cloud-based security
service. II. DESIGNED SIEM ARCHITECTURE
The designed SIEM architecture mainly consists of the
I.INTRODUCTION SIEM Engine for processing the collected data, the SIEM
The cloud computing represents one of the most Storage for storing the collected data and analysis results, and
significant changes in the field of information security the SIEM user layer for ensuring the security service to the
technology such as cloud-based security-as-a-service. user as shown in the Figure 1.
Although there are many information security technologies for SIEM Engine Data Flow Alert Flow SIEM
Storage
this purpose, the SIEM (Security Information and Event Message Queue Processing Storage

Management) has been developed as an important component Data-Preprocessing

No
RAW
of enterprise network and network infrastructures and it has Transform Enrich Schema

Mongo

been a purpose-built solution to collect, aggregate, parse, Netflow, Traffic Threshold

Alert
ation
rt
DB

normalize, store, distill tremendous event logs and correlate

NOSQL
Syslog, Data-Aggregation

data from traditional security systems such as firewalls, vDLP Event

og Event
r Aggregators
Schema
intrusion detection /prevention systems, anti-malware systems, vIPS
Security Event
Collector

and others that are deployed at both the host and network er
Scorer
Elastic
Search /
domains [1,2]. vFW log
Signature Model

Other Model
Profile
Alert
Impala

… Event
We have been developing the SOA (Security-on-Air) Router Signature Mining
Scorer
SQL ON
HADOOP

project which is cloud-based security platform. In cloud data Data-Mining Other Mining
Profile
Alert

center, it enables to provide various security services to the

multi-tenants by applying SDN / NFV technologies and External Alert

virtualizing the security sensors such as virtual firewalls, SIEM

User Layer UI Web Service
Secure Gateway
Services
Op en API

virtual IPS, virtual DLP, virtual DPI, anti-malware system and

RESTFul API

others that are deployed at both the host and network domains.
The proposed SIEM can be applied to maintain a huge number Fig. 1. The SIEM Architecture for cloud-based service
of security event log which is generated from virtualized
security systems for ensuring cloud-based security service. The SIEM engine aims to support provision of the
intelligent threat analytics and relevant data output based on
For managing and analyzing the various logs and events its various data processing such as data modeling and data
which are generated by cloud-based security sensors in the mining. The details are explained in the next chapter. For the
SOA project, the SIEM needs to be designed not only to SECaaS service, the SIEM user layer is a specialized
manage log and security events from various security systems,

978-1-5386-0683-4/17/$31.00 ©2017 IEEE 398

2017 IEEE Conference on Communications and Network Security (CNS): IEEE CNS 2017 - Posters

component which includes the application for accessing the and metadata for data enrichment from the collected
SIEM engine and it enable to support incident response data, and then it is able to provide the correlated data
activities from a wide variety of sources. information to analyze and recognize the status of
In order to support the SIEM service in cloud platform, the cyber threat by the correlated information. The Figure
SIEM user layer is executed on the virtual machine. In detail, 2 represents the work flows of the correlation analysis
upon the user activates the virtual machine which includes the module and the Figure 3 shows the example of
SIEM user layer, and the SIEM Engine retrieves the related correlated data information among the security sensor
information which is retrieved from the SIEM Storage and logs.
instantly becomes running state. For this, it is necessary that Additionally, the long-term’s correlation analytics function
the Data Identifier Manager in SIEM is able to identify each enables to recognize and detect real-time intrusion threats by
event and separate security log per each tenant of cloud-based analyzing the event occurrence patterns related to past
security services. intrusion threats. It enhances the ability of the correlation
analytics between attack cases which were occurred.
III. ANALYTICS IN SIEM ENGINE When the above SIEM engine performs the data analysis
The SIEM engine mainly includes the time-series analytics per each user, it must identify the collected data for each user.
and the correlation analytics in order to provide cloud-based Therefore, this function is carried out by the Data Identifier
SIEM service. Each method is explained as follows. Manager (DIM) that should recognize the data source by
collected data from the various security sensor. This provides
the functionality to run the customized SIEM engine
according to whether the virtual machine of the cloud user is
activated.

IV. FUTURE WORKS

In this paper, when the traditional security systems are
virtualized in cloud platform, we designed the SIEM
architecture for cloud-based security service that can help to
Fig. 2. Flow for Correlation Analysis using Data mining recognize cyber threats using collected data and to provide
correlation-based cyber threat analytics. Furthermore, by the
vIPS Data vIPS Data vFW Data vDLP Data
Instance Instance Instance Instance
reason that the correlation analytics is the most important one
of the various analytics method, we will apply the Neural
Network in order to detect the threat based on learning the
security data model. In detail, by the neural network model
which outputs the threat categories or normality by learning
collected long-term data, the proposed SIEM can improve the
ability to determine the threats that whether the status of the
current collected data is threat or not. And such method
significantly will enhance to improve intelligent cyber threat
analysis in the SIEM.

ACKNOWLEDGMENT
Fig. 3. Example of Correlated Information This work was supported by Institute for Information &
among vIPS, vFW and vDLP data instance communications Technology Promotion(IITP) grant funded
by the Korea government(MSIP) (No.2017-0-00078, Cloud
∑ Time-Series Data Analytics Function: It is to extract based Security Intelligence Technology Development for the
and calculate statistical data by security source and Customized Security Service Provisioning)
object in collected security event log data. The SIEM
calculates predicted baseline values based on factors
REFERENCES
such as time, a day of the week, protocols and log data
frequency for each service port. By doing so, it can [1] YEN, T., OPREA, A., ONARLIOGLU, K., LEETHAM, T.,
ROBERTSON, W., JUELS, A. AND KIRDA, E. 2013. Beehive:
carry out anomaly detection based on the calculated Large-scale log analysis for detecting suspicious activity in enterprise
event baseline, attack name, traffic information which networks. In Proceedings of the 29th Annual Computer Security
are stored in big data storage. Applications Conference, ACM, 199-208.
∑ Correlation Analytics Function: It provides the data [2] Cloud Security Alliance, https://cloudsecurityalliance. org/group/
security-as-a-service/
information to analysis the correlated features among
[3] OpenSoC Project, http://metron.apache.org
collected security events with the aggregated threat
[4] Apache Kafka Project, https://kafka.apache.org
case dataset. For this, the SIEM generates statistical
[5] Apache Spark™ https://spark.apach.org
database using the big data analytics and data mining
methodologies by IP address, port, signature of event

399