Summarize the Event Correlation in this article Event correlation is a technique used to assign a new meaning for relating a set of events that occur in a fixed amount of time. This event correlation technique identifies a few events that are important among the large number of events. During the process of event correlation, some new events may occur and delete some existing events from the event stream.
In general, the investigators can perform the event correlation process on a log management platform. Examples of event correlation are as follows:
If a user gets 10 login failure events in 5 minutes, this generates a security attack event.
If both the external and internal temperatures of a device are too high and the event “device is not responding” occurs within 5 seconds, replace them with the event “device down due to overheating.”
Simple event correlator software helps to implement the event correlation process. The event correlator tool collects information about events originating from monitoring tools, managed elements, or the trouble ticket system. This tool processes the relevant events that are important and discards the events that are not relevant while receiving the events.
Related Product : Computer Hacking Forensic Investigator | CHFI
Event correlation has four different steps, as follows:
Step 1: Event aggregation
Event aggregation is also called event de-duplication. It compiles the repeated events to a single event and avoids duplication of the same event.
Step 2: Event masking
Event masking refers to missing events related to systems that are downstream of a failed system. It avoids the events that cause the system to crash or fail.
Step 3: Event filtering
Through event filtering, the event correlator filters or discards the irrelevant events.
Step 4: Root cause analysis
Root cause analysis is the most complex part in event correlation. During a root cause analysis, the event correlator identifies all the devices that became inaccessible due to network failures. Then, the event correlator categorizes the events into symptom events and root cause events. The system considers the events associated with the inaccessible devices as symptom events, and the other non-symptom events as root cause events.
Also Read : Understand Laws and Regulations
Event Correlation Approaches
The graph-based approach finds various dependencies among the system components such as network devices, hosts, services, etc. After detecting the dependencies, this approach constructs the graph with each node as a system component and each edge as a dependency among two components. Thus, when a fault event occurs, the constructed graph is used to detect the possible root cause(s) of fault or failure events.
1. Neural Network-Based Approach
This approach uses a neural network to detect the anomalies in the event stream, root causes of fault events, etc.
2. Codebook-Based Approach
The codebook-based approach is similar to the rule-based approach, which groups all events together. It uses a codebook to store a set of events and correlates them. This approach is executed faster than a rule-based system, as there are fewer comparisons for each event.
3. Rule-Based Approach
The rule-based approach correlates events according to a specified set of rules (condition -> action). Depending on each test result and the combination of the system events, the rule-processing engine analyzes the data until it reaches the final state.
4. Field-Based Approach
This is a basic approach that compares specific events with single or multiple fields in the normalized data.
5. Automated Field Correlation
This method checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields.
6. Packet Parameter/Payload Correlation for Network Management
This approach helps in correlating particular packets with other packets. This approach can make a list of possible new attacks by comparing packets with attack signatures.
7. Profile/Fingerprint-Based Approach
This method helps users identify whether any system is a relay or a formerly compromised host and/or to detect the same hacker from different locations. This approach helps gather a series of data sets from forensic event data, such as isolated OS fingerprints, isolated port scans, finger information, and banner snatching to compare link attack data to other attacker profiles.
8. Vulnerability-Based Approach
This approach helps map IDS events that target a particular vulnerable host with the help of a vulnerability scanner.
This approach deduces an attack on a particular host in advance, and it prioritizes attack data in order to respond to the trouble spots quickly.
9. Open-Port-Based Correlation Approach
The open-port correlation approach determines the chance of a successful attack by comparing it with the list of open ports available on the host and that are under attack.
10. Bayesian Correlation Approach
This approach is an advanced correlation method that assumes and predicts what a hacker can do next after the attack by studying statistics and probability.
11. Time (Clock Time) or Role-Based Approach
This approach eyes the computers’ and computer users’ behavior and alerts if some anomaly is found.
12. Route Correlation Approach
This approach helps extract the attack route information and use that information to single out other attack data.
Questions related to this topic
- What are correlation rules?
- What is historical correlation?
- What is correlation and aggregation in Siem?
- What is correlation in arcsight?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
