Ossim Platform Security Event correlation analysis Practice
in the "open source safe operation Dimensional plane Ossim best practices" in the book, the event association is the core of the entire Ossim Association analysis, for the Ossim Event Association requires massive processing power, It is mainly convenient to store the logs collected from the device in time, and can correlate matching and output, and then show through Web ui. From the real-time, the whole process of correlation analysis can not be interrupted, which requires high real-time system, in addition Ossim system is rule-based, Ossim has multiple sets of high-speed rule analysis engine, in order to achieve pattern matching and correlation analysis results call. Therefore, the system's correlation engine is a typical data processing system, must rely on the strong database to support, in the open source Ossim system uses the database based on the MySQL5.6 database, uses the MONOGDB in the commercial edition.
It's easier to keep a normal log in the database, but if it's the correlation engine that makes the alarm into the database a complex process, where is the pressure? For example, an association rule takes 1 seconds to get 10 data through an SQL statement, and the correlation engine needs 10 disk accesses within 1 seconds, which is higher than the normal log, and the tables, fields, and indexes in the Ossim database are specially set for this transaction. Features that have write multiple reads at once. It is useful to match complex patterns, for example, to filter out the source IP address of the SSH login server for 1 minutes, with more than 5 failures, and the correlation analysis engine will periodically make SQL access to find an event record that meets the requirements.
Many security managers complain that firewalls, intrusion detection, antivirus systems, and network management software have been set up, and why cybersecurity is still cumbersome. The current network security Manager faces the following challenges:
1) The number of security incidents generated by security equipment and network applications is huge, and IDs is seriously mistaken. An IDS system that generates tens of thousands of security events a day, usually 99% of security incidents are false positives, while a small number of truly threatening security incidents are overwhelmed by false positives.
2) The relationship between the horizontal and vertical aspects (such as different spatial sources, time series, etc.) between security incidents can not be comprehensively analyzed, so the false reports are serious and cannot be realized in real time. An attack activity often follows another attack activity, which provides the basic conditions for the latter, an attack activity that generates security events on multiple security devices, and security incidents from multiple sources are actually a collaborative attack, all of which lack effective comprehensive analysis.
3) The security manager lacks the global real-time perception ability to the whole network security posture.
Full use of a variety of security equipment detection capabilities, centralized processing of the fatal weakness is the amount of data to be analyzed, those large redundancy, independent dispersion, security incidents obviously can not directly as a response basis, while network security protection also has real-time requirements, the fundamental solution to the above problem is network security event correlation processing, What is correlation analysis, there are a few basic concepts that we need to understand.
1) Security Events: This book mentions security incidents at the outset, including server security logs, alerts for critical applications, and logs.
2) Data source (Datesource), data source is the source of security events, including firewalls, intrusion detection systems, important hosts, routing switching equipment logs.
3) Data Association: combine data from multiple data Sources (association), Correlation (Correlation), or combination (combination) analysis to obtain high-quality information. It combines the logs of different spatial devices and the problems of different time series into a specific association method, and finally determines the tool analysis method. Of course, these are just generalized security event correlation methods, and later chapters will specifically explain the specific rules for Ossim.
4) Cross-correlation: It is the most common way to correlate security events with network topologies, system-open services, and vulnerabilities in devices to analyze the likelihood of an attack being successful. The association rules can be used to detect some threats in the Ossim system, and to implement automatic responses (such as alerting, etc.).
Here are some examples of exceptions:
Integrity, file Integrity monitoring tool found in the system LS, PS, netstat, SU and other program size and owner is changed, can be judged to be attacked; system, user account is modified and some unexplained abnormal login behavior, in the unlikely place of new files, directories or lost files, The rapid increase in the size of the directory, the sudden decrease, MD5 signatures do not match, these signs indicate that the system has been compromised. Log, the system log is reduced, the log in the presence of unknown entries, the exception of the interrupt message indicates that the system is compromised. traffic, a number of nodes in large-scale traffic increase may be subject to denial of service attacks.
650) this.width=650; "title=" 4-5.jpg "alt=" wkiol1cdu-ox4wdlaaeztdjwfes738.jpg "src=" http://s3.51cto.com/wyfs02/M00 /7e/82/wkiol1cdu-ox4wdlaaeztdjwfes738.jpg "/>650" this.width=650; "title=" 4-5-1.jpg "style=" height:778px;width : 619px; "alt=" wkiom1cdu0aqxkf8aafwag-zqwc025.jpg "src=" http://s2.51cto.com/wyfs02/M01/7E/85/ Wkiom1cdu0aqxkf8aafwag-zqwc025.jpg "width=" 608 "height=" 768 "/>
In order to achieve the purpose of the Security event correlation analysis, we should have good event handling mechanism, such as the normalization of log collection before, and a good correlation method, and more than one association method, it is better to combine many kinds of real-time association methods together. After a large number of normalized events are fed into the correlation engine, they undergo various association methods, such as event classification processing, aggregation, cross-correlation, heuristic association, etc., which are statistically classified according to the security events in the database, to find out the origin and frequently attacked ports that often lead to security events. At these stages there will be event alarms, their security event correlation process modules, and for a more detailed understanding of the principles and practices of security event correlation analysis, see The open source secure operation dimensional plane-ossim best practices.
This article is from the "Lee Chenguang Original Technology blog" blog, please be sure to keep this source http://chenguang.blog.51cto.com/350944/1760414
Ossim Platform Security Event correlation analysis Practice