Network Access Control and Collaborative Security Against APT and AET

Orhanou, Ghizlane; Lakbabi, Abdelmajid; Moukafih, Nabil; Hajji, Saïd El

doi:10.4018/978-1-5225-5736-4.ch010

Cited by 2 publications

(1 citation statement)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One of the main reasons why SIEM systems have become an essential part of monitoring and defending networks and hosts against intrusions is their ability to use their correlation engine to detect complex attacks that typically go unnoticed by most defense security devices. For instance, the authors in (Orhanou et al , 2018) highlighted this by studying many use cases where AET (advanced evasion techniques) and APT (Advanced Persistent Attacks) are executed in a chained matter and key security elements such as IPS, Firewall, WAF and AntiSpam fail to react simply because they operate in series and don’t share information. In this context, they proposed to use IF-MAP as a security standard exchange protocol to share information in real-time, but their proposal is only effective when tools like SIEM systems are implemented, tools that aggregate and correlate events in real-time and view the network as a whole instead of fragmented parts.…”

Section: Related Workmentioning

confidence: 99%

Mobile agent-based SIEM for event collection and normalization externalization

Moukafih

Orhanou

Hajji

2019

ICS

Self Cite

View full text Add to dashboard Cite

Purpose This paper aims to propose a mobile agent-based security information and event management architecture (MA-SIEM) that uses mobile agents for near real-time event collection and normalization on the source device. The externalization of the normalization process, executed by several distributed mobile agents on interconnected computers and devices, proposes a SIEM server dedicated mainly for correlation and analysis. Design/methodology/approach The architecture has been proposed in three stages. In the first step, the authors described the different aspects of the proposed approach. Then they implemented the proposed architecture and presented a new vision for the insertion of normalized data into the SIEM database. Finally, the authors performed a numerical comparison between the approach used in the proposed architecture and that of existing SIEM systems. Findings The results of the experiments showed that MA-SIEM systems are more efficient than existing SIEM systems because they leave the SIEM resources primarily dedicated to advanced correlation analysis. In addition, this paper takes into account realistic scenarios and use-cases and proposes a fully automated process for transferring normalized events in near real time to the SIEM server for further analysis using mobile agents. Originality/value The work provides new insights into the normalization security-related events using light mobile agents.

show abstract

Section: Related Workmentioning

confidence: 99%