Today, information systems, networks, and services have become deeply ingrained in our everyday lives. They are constantly threatened by increasingly sophisticated attacks that are often difficult to detect. Therefore, comprehensive information on activities are typically collected and stored along with general information about the system state in extensive log files, which provide a basis for security monitoring and forensic analyses. The overwh^ing volume of this log information, however, poses a major challenge for security analysts. To form a complete picture, analysts typically need to manually sift through raw log data with ambiguous interpretation on many different systems in order to connect disparate indicators and identify complex patterns of malicious activity. Because log information is ambiguous and typically not comprehensible for computers, it is difficult to automate such processes. Security incidents in large IT infrastructures, where manual monitoring is infeasible, are therefore identified only with considerable delay or not at all.
The project SEPSES (Semantic Processing of Security Event Streams ) takes an innovative approach to tackle these challenges. It enables computers to integrate and automatically interpret streams of log information from a variety of sources. This allows computers to reason about potential malicious activities and support security analysts in identifying, tracing, and eliminating threats in a timely manner. To this end, SEPSES brings together concepts and theories from security research, advanced data stream processing technologies, and semantic methods developed in the Linked Data and Semantic Web research communities.
To facilitate continuous monitoring of complex event streams, a set of conceptual and technical challenges need to be overcome. First, large-volume data streams must be combined and converted into a machine-understandable representation. This requires expressing security knowledge in a way that makes it accessible to computers. Second, event streams need to be integrated and consolidated at a central location. This will facilitate context-rich interpretation and pattern matching that goes beyond simple text-based search for individual events. To this end, the project will develop methods to link individual isolated events and conduct context-aware analyses. Overall, this will result in a comprehensive view on system activities, allow security analysts to derive explanations for observed behaviors, and make it possible to automatically identify generic patterns of suspicious activity.
Methods developed in the course of SEPSES will create a new foundation for the continuous exchange of security knowledge and patterns of attack. This could, for instance, result in a public collection of known attack patterns in the Linked Open Data Cloud that anyone can subscribe to. Moreover, the developed methods form the basis for advanced diagnostic methods and will provide a platform for innovative security applications such as semantic forensic analyses, structurally rich log data mining, and visualization of event chains.
