Article Preview
Top2. Literature Survey
Research by Hermanowski (2015) talks about Open Source Security Information Management (OSSIM) which is a system built on top of many small and large open source tools to support the network administrators in intrusion detection and prevention. It was developed as an initiative of AlienVault Company for the centralized management of their configurations. It consists of four logical components: a server, a database, main framework and sensors. There can be multiple sensors deployed at different physical locations. Roles of the server component include inventory management, policy management, event correlation and task scheduling. The sensor is responsible for vulnerability scanning, network and inventory monitoring. The database stores the collected events. Context for an incident is made from various data sources using logical trees that define the rules. Rules are triggered when at least one of the event is matched. They contain parametres that are either optional or required. Their evaluation sequence is from the root to the leaves. Each rule is assigned a risk value based on their priority and reliability using the formula: Risk = AssetValue * Priority * Reliability / 25. An alarm sets on, each time the threshold value is crossed. Its advantage is that it unifies the common security tools and their management in to a single and consistent user-friendly interface. Its disadvantages include zero documentation for developers due to lack of visibility in the implementation of underlying tools and lack of raw log storage.
Oliner, Adam and Archana (2011) give an overview of various methods of log analysis and its common applications. Applications include optimizing system performance, security applications, prediction, profiling resource utilization and as a logging infrastructure. Some of the challenges include difficulty in using single log file to monitor events in different systems, management of logging process and using the right analytical tool for mining data.
Carasso (2012) explains about Splunk, which is a software for analyzing and monitoring logs using web interface. It finds the cause of system failure by first gathering data from multiple locations and indexing them in a centralized way. This ensures an effortless searching. It can even find out the time of first occurrence of the problem. It also provides data visualization. It is very popular among system and network analysts due to its centralized nature.