Please use this identifier to cite or link to this item: https://dl.ucsc.cmb.ac.lk/jspui/handle/123456789/3223
Title: Improving the Accuracy of Security Incidents and Event Monitoring by Optimizing Log Correlation Techniques
Authors: Ranasinghe, R.A.K.M.
Issue Date: 7-Jul-2015
Abstract: In recent years the monitoring and control devices in charge of supervising the critical processes of critical IT infrastructures have been victims of cyber-attacks. To face such threat, organizations providing critical services are increasingly focusing on protecting their network infrastructures. Security Information and Event Management (SIEM) frameworks support network protection by performing centralized correlation of network events. In this research I use an extension of an open source SIEM framework, namely OSSIM by AlienVault, to perform the analysis of the reports (events) generated by most commonly used targeted systems like web server specially Microsoft Windows IIS web servers. At the beginning of the research the collections of data and events were planned to do only using an agent less method. The very well-known Microsoft Windows Management Instrumentation Scripting API, commonly known as WMI Scripting API was evaluated to achieve this goal. However at the end of the project I have learned that it is not possible to develop a comprehensive monitoring solution for a windows based IIS web server only using the capabilities of WMI scripting API. Also it was noted that the pre-installed IIS detector plugin comes with OSSIM SIEM agent is not capable of analyzing and processing IIS logs generated by latest Microsoft Windows Operating systems and IIS web server versions. After analyzing the format of IIS Server Version 8 comes with Windows Server 2012, I was able to develop a working detector plugin called iis8plugin.cfg for analyzing IIS version 8 access logs on the OSSIM SIEM generated by the logging agent NxLog. Finally I have looked at various ways of improving the event log correlating capabilities by joining the outputs received from both syslog and WMI based detector plugins of WMI by creating custom directives using OSSIM’s correlating engine. One of the most important thing which I have learned by conducting this research is that WMI (Microsoft Windows Instrumentation) is a goldmine for windows server monitoring and it holds over 1200 different WMI classes which facilitates for us to extract various type of performance information. Once we’ve overcome the limitations resides within WMI like extracting log files from a Microsoft windows host, we should be able to create a 100 % agentless comprehensive solution using only using WMI Scripting API capabilities.
URI: http://hdl.handle.net/123456789/3223
Appears in Collections:Master of Science in Information Security - 2015

Files in This Item:
File Description SizeFormat 
2012MIS016.pdf
  Restricted Access
1.95 MBAdobe PDFView/Open Request a copy


Items in UCSC Digital Library are protected by copyright, with all rights reserved, unless otherwise indicated.