Title: An ontology-driven approach to model SIEM information and operations using the SWRL formalism

Authors: Gustavo Gonzalez Granadillo; Yosra Ben Mustapha; Nabil Hachem; Herve Debar

Addresses: Telecom Sudparis, SAMOVAR UMR 5157, 9 rue Charles Fourier, 91011 EVRY, France. ' Telecom Sudparis, SAMOVAR UMR 5157, 9 rue Charles Fourier, 91011 EVRY, France. ' Telecom Sudparis, SAMOVAR UMR 5157, 9 rue Charles Fourier, 91011 EVRY, France. ' Telecom Sudparis, SAMOVAR UMR 5157, 9 rue Charles Fourier, 91011 EVRY, France

Abstract: The management of security events, from the risk analysis to the selection of appropriate countermeasures, has become a major concern for security analysts and IT administrators. Furthermore, the fact that network and system devices are heterogeneous, increases the difficulty of these administrative tasks. This paper introduces an ontology-driven approach to address the aforementioned problems. The proposed model takes into account two aspects: the information and the operations that are manipulated by SIEM environments in order to reach the desired goals. The model uses ontologies to provide simplicity on the description of concepts, relationships and instances of the security domain. The semantics web rule languages are used to describe the logic rules needed to infer relationships among individuals and classes. A case study on Botnets is presented at the end of this paper to illustrate a concrete utilisation of our model.

Keywords: security events; event management; security information; SIEM; ontology; SWRL; semantics; logic rules; data modelling; heterogeneity; reasoning; risk assessment; countermeasures; botnets.

DOI: 10.1504/IJESDF.2012.048412

International Journal of Electronic Security and Digital Forensics, 2012 Vol.4 No.2/3, pp.104 - 123

Available online: 05 Aug 2012 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article