Evaluation of SIEM Correlation in the Detection of Denial of Service Attacks

Fraser, J. (2015). Evaluation of SIEM Correlation in the Detection of Denial of Service Attacks (MSc ASDF Dissertation). Edinburgh Napier University (Macfarlane, R., Wadhaj, I.).



Understanding what is occurring in a network is key to securing the network and ensuring the continued security. Managing the data that is generated from servers and security devices on activity and use of these services available is key to providing this security. However these systems can produce hundreds of logs, many of which are not easily discernible and use arbitrary error codes to display information to an administrator. Security Information and Event Management (SIEM_ systems aim to simplify the process by providing a means to gather these logs from various heterogeneous sources. This allows an administrator to use the tools provided by the SIEM to analyse all of the data sources an administrator can uncover an attack that would otherwise have been missed. One of the key tools for this is log correlation.
Log correlation takes data from multiple sources an analyses the data in order to determine if an event has occurred. Many different techniques exist for correlation with varying degrees of success in detecting attacks. One of the most difficult types of attack to detect is denial of service (DoS) attacks. Distributed denial of service (DDoS) attacks are particularly difficult to detect as they can be hidden as normal traffic due to the attackers all coming from different IP addresses.
This project aims to explore the use of SIEM systems, correlation in particular, in order to see the how well these system deal with detecting DoS attacks. Five experiments were designed and conducted to test the selected SIEM technology to provide an understanding of how it handles detection of DoS attacks using system resources and how the system copes when performing correlation searches.
The project showed the successful detection of all of the DoS attacks that were performed on the target system and is a usefull tool for detecting attacks and securing a network. However there were a number of issues that resulted from the use of a SIEM system. The major issue was that the systems require a degree of maintenance to ensure that the rules being used to conduct the tests are working correctly and are detecting attacks as the happen. Additionally of ensuring that the SIEM system has enough computational power in order to perform the indexing of data and searches that are required.
[Read More]


Areas of Expertise

Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.

Associated Projects