Security alerts collected under real workload conditionsrepresent a goldmine of information to protect integrity andconfidentiality of a production Cloud. Nevertheless, the volume ofruntime alerts overwhelms operations teams and makes forensicshard and time consuming. This paper investigates the use ofdifferent text weighting schemes to filter an average volume of1,000 alerts/day produced by a security information and eventmanagement (SIEM) tool in a production SaaS Cloud. As aresult, a filtering approach based on the log.entropy scheme,has been developed to pinpoint relevant information across theamount of daily textual alerts. The proposed filter is valuable tosupport operations team and allowed identifying real incidentsthat affected several nodes and required manual response.
Filtering Security Alerts for the Analysis of a Production SaaS Cloud
PECCHIA, ANTONIO;
2014-01-01
Abstract
Security alerts collected under real workload conditionsrepresent a goldmine of information to protect integrity andconfidentiality of a production Cloud. Nevertheless, the volume ofruntime alerts overwhelms operations teams and makes forensicshard and time consuming. This paper investigates the use ofdifferent text weighting schemes to filter an average volume of1,000 alerts/day produced by a security information and eventmanagement (SIEM) tool in a production SaaS Cloud. As aresult, a filtering approach based on the log.entropy scheme,has been developed to pinpoint relevant information across theamount of daily textual alerts. The proposed filter is valuable tosupport operations team and allowed identifying real incidentsthat affected several nodes and required manual response.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
