A framework for mastering heterogeneity in multi-layer security information and event correlation

We detected limits of SIEM systems while being used to protect critical infrastructures from sophisticated cyberattacks.We developed a new data collection and pre-correlation framework named "GET".GET links physical to logical security and exploits knowledge of the Business Process.The GET framework has been integrated into the open-source SIEM OSSIM.We validated the GET in a dam control system and a mobile phone based payment service. Security Information and Event Management (SIEM) is a consolidated technology that relies on the correlation of massive amounts of security-relevant information in order to detect ongoing attacks and intrusions. This correlation process is usually fed with logs generated by network devices and equipment, thus proving to be ineffective against attacks that affect multiple domains (e.g. physical, logical) or different architectural levels (e.g. network, operating system, application) of a service infrastructure. To bridge the gap, we propose a flexible framework for event collection and correlation, namely the Generic Event Translator, which is able to process heterogeneous data and spot evidence of security issues by using complex event pattern detectors that correlate information from multiple architectural layers and domains of the monitored infrastructure. The framework has been integrated into the open-source SIEM OSSIM, and validated in two challenging case studies, namely a dam infrastructure control system and a mobile phone based payment service. Display Omitted