An Intrusion and Fault Tolerant Forensic Storage for a SIEM System

Author

Afzaal, M. ; Di Sarno, Cesario ; Dantonio, S. ; Romano, Lucia

Author_Institution

Dept. of Technol., Univ. of Naples Parthenope, Naples, Italy

fYear

2012

fDate

25-29 Nov. 2012

Firstpage

579

Lastpage

586

Abstract

Current Security Information and Events Management (SIEM) solutions lack a data storage facility which is secure enough - i.e. stored events related to security incidents cannot be forged and are always available - that it can be used for forensic purposes. Forensic storage used by current SIEM solutions uses traditional RSA algorithm to sign the security events. In this paper we have analyzed the limits of current forensic storages, and we have proposed an architecture for forensic storage, implementing a threshold-based variant of the RSA algorithm, that outperforms state of the art SIEM solutions in terms of intrusion- and fault-tolerance. We show by experiments that our forensic storage works correctly even in the presence of cyber-attacks, although with a performance penalty. We also conduct an experimental campaign to evaluate the performance cost of the proposed scheme as a function of the threshold.

Keywords

digital forensics; fault tolerant computing; public key cryptography; RSA algorithm; SIEM system; cyber-attacks; data storage facility; fault tolerant forensic storage; intrusion tolerant detection; security events; security information and events management; threshold-based variant; Computer architecture; Correlation; Cryptography; Fault tolerance; Fault tolerant systems; Forensics; Critical Infrastructure Protection; Fault- and Intrusion-Tolerant Architecture; Forensic Storage; Threshold Cryptography;

fLanguage

English

Publisher

ieee

Conference_Titel

Signal Image Technology and Internet Based Systems (SITIS), 2012 Eighth International Conference on

Conference_Location

Naples

Print_ISBN

978-1-4673-5152-2

Type

conf

DOI

10.1109/SITIS.2012.89

Filename

6395146