Enhancing Security Event Management Systems with Unsupervised Anomaly Detection

Markus Goldstein; Stefan Asanger; Matthias Reif; Andrew Hutchinson
In: Proceedings of the 2nd International Conference on Pattern Recognition Applications and Methods. International Conference on Pattern Recognition Applications and Methods (ICPRAM-2013), February 15-18, Barcelona, Spain, Pages 530-538, ISBN 978-989-8565-41-9, SciTePress, 2/2013.


Security Information and Event Management (SIEM) systems are today a key component of complex enterprise networks. They usually aggregate and correlate events from different machines and perform a rule-based analysis to detect threats. In this paper we present an enhancement of such systems which makes use of unsupervised anomaly detection algorithms without the need for any prior training of the system. For data acquisition, events are exported from an existing SIEM appliance, parsed, unified and preprocessed to fit the requirements of unsupervised anomaly detection algorithms. Six different algorithms are evaluated qualitatively and finally a global k-NN approach was selected for a practical deployment. The new system was able to detect misconfigurations and gave the security operation center team more insight about processes in the network.

Weitere Links