Security alerts collected under real workload conditions represent a goldmine of information to protect integrity and confidentiality of a production Cloud. Nevertheless, the volume of runtime alerts overwhelms operations teams and makes forensics hard and time consuming. This paper investigates the use of different text weighting schemes to filter an average volume of 1,000 alerts/day produced by a security information and event management (SIEM) tool in a production SaaS Cloud. As a result, a filtering approach based on the log.entropy scheme, has been developed to pinpoint relevant information across the amount of daily textual alerts. The proposed filter is valuable to support operations team and allowed identifying real incidents that affected several nodes and required manual response.
Filtering Security Alerts for the Analysis of a Production SaaS Cloud / Pecchia, Antonio; Cotroneo, Domenico; Rajeshwari, Ganesan; Santonu, Sarkar. - (2014), pp. 233-241. (Intervento presentato al convegno 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing tenutosi a Londra nel 8-11 dicembre) [10.1109/UCC.2014.32].
Filtering Security Alerts for the Analysis of a Production SaaS Cloud
PECCHIA, ANTONIO;COTRONEO, DOMENICO;
2014
Abstract
Security alerts collected under real workload conditions represent a goldmine of information to protect integrity and confidentiality of a production Cloud. Nevertheless, the volume of runtime alerts overwhelms operations teams and makes forensics hard and time consuming. This paper investigates the use of different text weighting schemes to filter an average volume of 1,000 alerts/day produced by a security information and event management (SIEM) tool in a production SaaS Cloud. As a result, a filtering approach based on the log.entropy scheme, has been developed to pinpoint relevant information across the amount of daily textual alerts. The proposed filter is valuable to support operations team and allowed identifying real incidents that affected several nodes and required manual response.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
