Title: Partial rule security information and event management concept in detecting cyber incidents

Authors: Aleksandar Jokić; Sabina Baraković; Jasmina Baraković Husić; Jasna Pleho

Addresses: Qatar Business Systems, D-Ring Road Branch, 31420 Doha, Qatar ' Ministry of Security of Bosnia and Herzegovina, Trg BiH 1, 71000 Sarajevo, Bosnia and Herzegovina; University of Sarajevo, Zmaja od Bosne, 71000 Sarajevo, Bosnia and Herzegovina ' University of Sarajevo, Zmaja od Bosne, 71000 Sarajevo, Bosnia and Herzegovina ' KING ICT, Aleja Bosne Srebrene 34, 71000 Sarajevo, Bosnia and Herzegovina

Abstract: Information communication technologies are evolving rapidly and have huge impact on everyday life. This does not come without dangers, i.e., it is actively followed by wide range of malicious activities that impact the companies forcing them to protect their information at all costs. Cyber attacks today are usually consisting of multiple carefully planned hardly detectable steps causing severe damage to companies. This paper examines the capability of security information and event management (SIEM) system with applied partial rules in detecting the multi-step attacks. Fine tuning was focused on detecting partial attack patterns that were important and specific to environment and positive results were gained. The results show that when using the partial rule approach in SIEM for incident detection, the number of detected advanced multistage cyber attacks has increased, thereby contributing to the overall security in cyber space.

Keywords: cyber attack; detection; exfiltration; partial rule; security; SIEM; visibility.

DOI: 10.1504/IJSN.2021.116777

International Journal of Security and Networks, 2021 Vol.16 No.2, pp.117 - 128

Received: 04 Oct 2020
Accepted: 04 Oct 2020

Published online: 02 Aug 2021 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article