A high-level domain-specific language for SIEM (design, development and formal verification)

摘要

Organizations deploy security information and event management (SIEM) systems for centralized management of security events. The real-time security monitoring capability of the SIEM depends on the correlation process where events data are matched against the security rules. Most SIEM systems use general purpose languages to define security rules. Creating new rules in general purpose languages require excellent programming skills in the proprietary language and intimate knowledge of events. This paper introduces a high-level domain-specific language (HDSL) which simplifies rule creation for the SIEM system. We formally specify the HDSL with extended Backus-Naur form grammar in another tool for language recognition according to the model driven engineering approach. In our implementation framework, the rules defined in the HDSL are converted in the standard event processing language. For evaluation purpose, the converted security rules are tested on the service real-time data security analytics. The results indicate that the rules are converted accurately and generate alarms when specific attacks are detected. For checking correctness of the HDSL, formal verification is carried out using satisfiability modulo theory and Z3 solver. The results are evaluated under diverse attack scenarios, which reveal that HDSL is functioning correctly. The HDSL enhances the SIEM correlation capabilities by providing a tranquil approach for writing the correlation rules.