TY - BOOK
T1 - Constructing network security monitoring systems
T2 - MOVERTI Deliverable V9
AU - Ahonen, Pasi
N1 - Project code: 32923
PY - 2011
Y1 - 2011
N2 - This report analyses and describes the basic construction
of network security monitoring systems. The viewpoint is
mainly research perspective, we aim for defining system
constructions or elements which are also commercially
relevant, but still maintain the open minded approach of
research oriented work. The focus is on clarifying the
overall network security follow up, but also on methods
for investigating the "difficult to identify" or zero-day
attacks or the preparation of such attacks, which try to
exploit the application vulnerabilities that are
currently unknown to operators and software developers.
The necessary network security system construction
depends much on the operator's targets for security
monitoring. The threat environment of some specific
operator may require a deeper analysis of the output from
various security device logs, events and alarms. The
needs of such operator may be to adjust the different
alarm thresholds for the security devices accurately,
according to the evolving network data traffic
characteristics. Another operator, instead, would require
holistic security monitoring of the production area,
where e.g. the status information within physical access
control systems and electronic access control systems
shall be combined, and the aggregated summary results
shall be presented to the operator for sanity checking.
Therefore, we present in this report some building blocks
that can be used to construct a security monitoring
system, not a complete system that shall be feasible as
such for all possible security monitoring needs and
requirements.
AB - This report analyses and describes the basic construction
of network security monitoring systems. The viewpoint is
mainly research perspective, we aim for defining system
constructions or elements which are also commercially
relevant, but still maintain the open minded approach of
research oriented work. The focus is on clarifying the
overall network security follow up, but also on methods
for investigating the "difficult to identify" or zero-day
attacks or the preparation of such attacks, which try to
exploit the application vulnerabilities that are
currently unknown to operators and software developers.
The necessary network security system construction
depends much on the operator's targets for security
monitoring. The threat environment of some specific
operator may require a deeper analysis of the output from
various security device logs, events and alarms. The
needs of such operator may be to adjust the different
alarm thresholds for the security devices accurately,
according to the evolving network data traffic
characteristics. Another operator, instead, would require
holistic security monitoring of the production area,
where e.g. the status information within physical access
control systems and electronic access control systems
shall be combined, and the aggregated summary results
shall be presented to the operator for sanity checking.
Therefore, we present in this report some building blocks
that can be used to construct a security monitoring
system, not a complete system that shall be feasible as
such for all possible security monitoring needs and
requirements.
KW - network security
KW - monitoring systems
KW - data networks
M3 - Report
T3 - VTT Tiedotteita - Research Notes
BT - Constructing network security monitoring systems
PB - VTT Technical Research Centre of Finland
CY - Espoo
ER -