Model-Based Security Event Management

  • Julian Schütte
  • Roland Rieke
  • Timo Winkelvos
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7531)


With the growing size and complexity of current ICT infrastructures, it becomes increasingly challenging to gain an overview of potential security breaches. Security Information and Event Management systems which aim at collecting, aggregating and processing security-relevant information are therefore on the rise. However, the event model of current systems mostly describes network events and their correlation, but is not linked to a comprehensive security model, including system state, security and compliance requirements, countermeasures, and affected assets. In this paper we introduce a comprehensive semantic model for security event management. Besides the description of security incidents, the model further allows to add conditions over the system state, define countermeasures, and link to external security models.


security strategy meta model security information and event management complex event processing 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Monitoring up the Stack: Adding Value to SIEM. White paper, Securosis L.L.C., Phoenix, AZ (2010)Google Scholar
  2. 2.
    Applied Network Security Analysis: Moving from Data to Information. White paper, Securosis L.L.C., Phoenix, AZ (2011)Google Scholar
  3. 3.
    Project MASSIF website (2012),
  4. 4.
    AlienValult: AlienVault Unified SIEM (2010),
  5. 5.
  6. 6.
    ArcSight Inc.: Common event format: Event interoperability standard (August 2006),
  7. 7.
    Buecker, A., Amado, J., Druker, D., Lorenz, C., Muehlenbrock, F., Tan, R.: IT Security Compliance Management Design Guide with IBM Tivoli Security Information and Event Manager. IBM Redbooks (July 2010) ISBN 0-7384-3446-9Google Scholar
  8. 8.
    Coppolino, L., D’Antonio, S., Formicola, V., Romano, L.: Integration of a System for Critical Infrastructure Protection with the OSSIM SIEM Platform: A dam case study. In: Flammini, F., Bologna, S., Vittorini, V. (eds.) SAFECOMP 2011. LNCS, vol. 6894, pp. 199–212. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    CS: Prelude SIEM (July 2012),
  10. 10.
    Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format (IDMEF). RFC 4765 (Experimental) (March 2007)Google Scholar
  11. 11.
    Eichler, J., Rieke, R.: Model-based Situational Security Analysis. In: Proc. of the 6th Int’l Workshop on Models@run.time at the 14th Int’l Conf. on Model Driven Engineering Languages and Systems (MODELS 2011), Wellington, New Zealand, CEUR Workshop Proceedings, vol. 794, pp. 25–36. IEEE Computer Society (2011)Google Scholar
  12. 12.
    Gürgens, S., Ochsenschläger, P., Rudolph, C.: On a formal framework for security properties. Computer Standards & Interfaces 27, 457–466 (2005)CrossRefGoogle Scholar
  13. 13.
    Iec, I.: ISO/IEC 27004:2009 - Information technology - Security techniques - Information security management - Measurement. ISOIEC (2009)Google Scholar
  14. 14.
    Innerhofer-Oberperfler, F., Breu, R.: Using an enterprise architecture for it risk management. In: Proc. of the ISSA Conf. from Insight to Foresight (2006)Google Scholar
  15. 15.
    Kotenko, I., et al.: Analytical attack modeling. Tech. Rep. Deliverable D4.3.1, MASSIF Project (2011)Google Scholar
  16. 16.
    Lieberman Software: Common event format configuration guide (January 2010)Google Scholar
  17. 17.
    Melik-Merkumians, M., Moser, T., Schatten, A., Zoitl, A., Biffl, S.: Knowledge-based runtime failure detection for industrial automation systems. In: Workshop Models@run.time. pp. 108–119. CEUR (2010)Google Scholar
  18. 18.
    Schiefer, J., Rozsnyai, S., Rauscher, C., Saurer, G.: Event-driven rules for sensing and responding to business situations. In: Int’l Conf. on Distributed Event-Based Systems (DEBS), pp. 198–205 (2007)Google Scholar
  19. 19.
    Verissimo, P., et al.: Massif architecture document. Tech. Rep. Deliverable D2.1.1, MASSIF Project (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Julian Schütte
    • 1
  • Roland Rieke
    • 2
  • Timo Winkelvos
    • 2
  1. 1.Fraunhofer Institution AISECMunichGermany
  2. 2.Fraunhofer Institute SITDarmstadtGermany

Personalised recommendations