به سوی معماری SIEM برای خدمات امنیتی مبتنی بر ابر Toward the SIEM Architecture for Cloud-based Security Services

I.INTRODUCTION The cloud computing represents one of the most significant changes in the field of information security technology such as cloud-based security-as-a-service. Although there are many information security technologies for this purpose, the SIEM (Security Information and Event Management) has been developed as an important component of enterprise network and network infrastructures and it has been a purpose-built solution to collect, aggregate, parse, normalize, store, distill tremendous event logs and correlate data from traditional security systems such as firewalls, intrusion detection /prevention systems, anti-malware systems, and others that are deployed at both the host and network domains [1,2]. We have been developing the SOA (Security-on-Air) project which is cloud-based security platform. In cloud data center, it enables to provide various security services to the multi-tenants by applying SDN / NFV technologies and virtualizing the security sensors such as virtual firewalls, virtual IPS, virtual DLP, virtual DPI, anti-malware system and others that are deployed at both the host and network domains. The proposed SIEM can be applied to maintain a huge number of security event log which is generated from virtualized security systems for ensuring cloud-based security service. For managing and analyzing the various logs and events which are generated by cloud-based security sensors in the SOA project, the SIEM needs to be designed not only to manage log and security events from various security systems, but also to achieve relevant correlation analytics for recognizing cyber threats. To do so, we referenced the OpenSoC [3] and complemented to our SIEM architecture for providing the various analysis model and data enrichment. In addition, because the main goal of the SIEM is to provide valuable security information provisioning and to perform a large-scaled data correlation for detecting cyber threats, we apply the Big Data platform which is composed of the distributed units based on Kafka, Spark, Elasticsearch and MongoDB [4, 5].