论文信息 - In : Advances in Security Information Management : Perceptions and Outcomes

In : Advances in Security Information Management : Perceptions and Outcomes

Correlation engines are a key component of modern SIEMs. They employ user-defined rules to process input alerts and identify the minimal set of meaningful data that should be provided to the final user. As IT systems grow in size and complexity, the amount of alerts generated by probes is constantly increasing and centralized SIEMs (i.e., SIEMs with a single-node correlation engine) start to show their processing limits. In this chapter we present a novel parallel correlation engine to be embedded in next generation SIEMs. The engine is based on Complex Event Processing and on a novel parallelization technique that allows to deploy the engine on an arbitrary number of nodes in a shared-nothing cluster. At the same time, the parallel execution preserves semantic transparency, i.e., its output is identical to the one of an ideal centralized execution. Our engine scales with the number of processed alerts per second and allows to reach beyond the processing limits of a centralized correlation engine.

Claudio Soriente | Vincenzo Gulisano | Ricardo Jiménez Peris | Marta Patiño Martnez | Valerio Vianello

[1] Ying Xing,et al. Scalable Distributed Stream Processing , 2003, CIDR.

[2] David L. Mills,et al. A brief history of NTP time: memoirs of an Internet timekeeper , 2003, CCRV.

[3] Ying Xing,et al. The Design of the Borealis Stream Processing Engine , 2005, CIDR.

[4] David J. DeWitt,et al. NiagaraCQ: a scalable continuous query system for Internet databases , 2000, SIGMOD '00.

[5] Joseph M. Hellerstein,et al. Flux: an adaptive partitioning operator for continuous query systems , 2003, Proceedings 19th International Conference on Data Engineering (Cat. No.03CH37405).

[6] Qiang Chen,et al. Aurora : a new model and architecture for data stream management ) , 2006 .

[7] Frederick Reiss,et al. TelegraphCQ: Continuous Dataflow Processing for an Uncertain World , 2003, CIDR.

[8] Michael Stonebraker,et al. Aurora: a new model and architecture for data stream management , 2003, The VLDB Journal.

[9] Rajeev Rastogi,et al. Data Stream Management: Processing High-Speed Data Streams (Data-Centric Systems and Applications) , 2019 .

[10] Patrick Valduriez,et al. StreamCloud: A Large Scale Data Streaming System , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.