Event Correlation

Definition: Event correlation is the process of monitoring what is happening on networks and other systems in order to identify patterns of events that might signify attacks, intrusions, misuse or failure.

In today’s interconnected world, network management is critically important. Those who maintain the network need to quickly pinpoint and fix any problem, whether it’s a malfunctioning mail daemon or a damaged fiber-optic link.

Luckily, almost every part of a modern network provides data about what it’s doing:

● Operating systems log systems and security events.

● Servers keep records of what they do.

● Applications log errors, warnings and failures.

● Firewalls and virtual private network gateways record traffic deemed suspicious.

● Network routers and switches watch what goes on between network segments.

● Messaging systems forward alerts, such as Simple Network Management Protocol (SNMP) traps, to a central management console.

Besides monitoring their own behavior, all these devices and management programs receive and relay messages from other network systems, leading to duplicate alerts. A single failure or problem can generate a blizzard of event messages.

The more complex the network and the more applications that are distributed, the more event messages, alarms and alerts the appliances will generate. In the end, far more data is generated than anyone can easily scan.

According to Chris Jordan, a security manager at Computer Sciences Corp., OC-12 connections can generate about 850 megabytes of event data in an hour. (OC-12 is a fiber-optic connection with bandwidth of 622Mbit/sec.) That translates into more than 600GB of data per month, or 7TB a year —— just for logs and alerts related to a single network link.

Event correlation simplifies and speeds the monitoring of network events by consolidating alerts and error logs into a short, easy-to-understand package. A network administrator can deal with, say, 25 events based on cross-referencing intrusion alerts against firewall entries and host/asset databases much more efficiently than when he must scan 10000 mostly normal log entries.

The benefits can be very real: more efficient use of staff time and skills, as well as the prevention of revenue loss resulting from downtime.

According to Marcus Ranum, an independent computer and communications security consultant in Woodbine, Md., correlation is something everyone wants, but nobody even knows what it is. It’s like liberty or free beer —— everyone thinks it’s a great idea and we should all have it, but there’ s no road map for getting from here to there. Still, a variety of technologies and operations are associated with event correlation:

Compression takes multiple occurrences of the same event, examines them for duplicate information, removes redundancies and reports them as a single event. So 1000 “route failed” alerts become a single alert that says “route failed 1,000 times.”

Counting reports a specified number of similar events as one. This differs from compression in that it doesn’t just tally the same event and that there's a threshold to trigger a report.

Suppression associates priorities with alarms and lets the system suppress an alarm for a lower-priority event if a higher-priority event has occurred.

Generalization associates alarms with some higher-level events, which are what’s reported. This can be useful for correlating events involving multiple ports on the same switch or router in the event that it fails. You don’ t need to see each specific failure if you can determine that the entire unit has problems.

Time-based correlation can be helpful establishing causality —— for instance, tracing a connectivity problem to a failed piece of hardware. Often more information can be gleaned by correlating events that have specific time-based relationships. Some problems can be determined only through such temporal correlation. Examples of time-based relationships include the following:

● Event A is followed by Event B.

● This is the first Event A since the recent Event B.

● Event A follows Event B within two minutes.

● Event A wasn’t observed within Interval I.

Event correlation, in its basic form, is becoming almost a commodity product. If you want to reduce the number of events and alarms and have some level of topological awareness to eliminate duplicates, that’s pretty standard and working today.

事件相關(guān)

定義: 事件相關(guān)是一個(gè)過程，監(jiān)視網(wǎng)絡(luò)上和其他系統(tǒng)中正在發(fā)生的事情，以便識別出有可能表示攻擊、入侵或故障的事件模式。

在今天這個(gè)相互聯(lián)接的世界里，網(wǎng)絡(luò)管理是至關(guān)重要的。維護(hù)網(wǎng)絡(luò)的人需要快速查明和解決任何問題，不管它是出了故障的郵件后臺收發(fā)程序、還是被毀的光纜線路。

令人幸運(yùn)的是，現(xiàn)代網(wǎng)絡(luò)的幾乎每個(gè)部分都提供它在做什么的數(shù)據(jù)：

● 操作系統(tǒng)記錄系統(tǒng)和安全事件。

● 服務(wù)器保存它們做了什么的紀(jì)錄。

● 應(yīng)用程序記錄錯(cuò)誤、警告和故障。

● 防火墻和虛擬專網(wǎng)網(wǎng)關(guān)記錄被認(rèn)為是可疑的流量。

● 網(wǎng)絡(luò)路由器和交換機(jī)監(jiān)視著網(wǎng)絡(luò)各段之間流動著什么。

● 消息系統(tǒng)給中央管理控制臺轉(zhuǎn)發(fā)警報(bào)，如SNMP(簡單網(wǎng)絡(luò)管理協(xié)議)陷阱。

除監(jiān)視它們自己的行為之外，所有這些設(shè)備和管理程序還接收和轉(zhuǎn)發(fā)其他網(wǎng)絡(luò)系統(tǒng)傳來的消息，導(dǎo)致警報(bào)的復(fù)制。單一的故障或問題有可能產(chǎn)生事件消息的泛濫。

網(wǎng)絡(luò)越復(fù)雜、應(yīng)用程序越分散，產(chǎn)生的事件消息、預(yù)警和警報(bào)就越多。結(jié)果，產(chǎn)生了太多的數(shù)據(jù)，以致沒有人能夠很容易地瀏覽一遍。

計(jì)算機(jī)科學(xué)公司的安全經(jīng)理Chris Jordan說，OC-12連接在一個(gè)小時(shí)內(nèi)能產(chǎn)生大約850兆字節(jié)的事件數(shù)據(jù)(OC-12是帶寬為622兆位/秒的光纜連接)。就與單一網(wǎng)絡(luò)連接有關(guān)的記錄和警報(bào)而言，這意味著一個(gè)月就有超過600GB數(shù)據(jù)，一年就是7TB的數(shù)據(jù)。

事件相關(guān)通過將警報(bào)和錯(cuò)誤記錄合并成簡短的、容易理解的包，從而簡化和加速網(wǎng)絡(luò)事件的監(jiān)視。比如，一名網(wǎng)管員就能處理25個(gè)基于針對防火墻輸入的交叉引用和主/資產(chǎn)數(shù)據(jù)庫的入侵警報(bào)的事件，比他通常掃描1萬條記錄事件更高效。

其好處是實(shí)實(shí)在在的：更高效地利用員工的時(shí)間和技能，以及防止因宕機(jī)造成收入的損失。

美國馬里蘭州Woodbine市的獨(dú)立計(jì)算機(jī)和通信安全顧問Marcus Ranum說，相關(guān)是人人都需要的東西，但是沒有人知道它是什么樣的。它與自由或免費(fèi)啤酒差不多——人人都認(rèn)為這是一個(gè)好主意，我們都應(yīng)該擁有它，而如何得到卻沒有線路圖。但是，有一些技術(shù)和操作可以用于事件相關(guān)：

壓縮取出發(fā)生多次的相同事件，檢查重復(fù)的信息，去除冗余，按單一的事件報(bào)告。因而，1000個(gè)“路由失敗”警報(bào)成了單個(gè)警報(bào)，說“路由失敗了1000次”。

計(jì)數(shù)把規(guī)定數(shù)目的類似事件按一個(gè)(事件)報(bào)告。它與壓縮的區(qū)別在于它不只是記錄相同的事件同時(shí)對觸發(fā)報(bào)告設(shè)有一門限值。

抑制與警報(bào)的優(yōu)先等級有關(guān)聯(lián)，如果出現(xiàn)較高優(yōu)先級的警報(bào)，它讓系統(tǒng)抑制較低優(yōu)先級的事件。

歸納與一些較高級別的事件的警報(bào)有關(guān)聯(lián)，指出報(bào)告的是什么。這對涉及同一交換機(jī)或路由器上多個(gè)端口的事件在交換機(jī)或路由器失效的情況下進(jìn)行相關(guān)處理時(shí)有用。如果你能確定整個(gè)設(shè)備有問題，你就不需要察看每個(gè)具體的故障。

基于時(shí)間的相關(guān)有助于建立因果關(guān)系。例如，從連接故障追查到硬件的失效部件。常常通過對具有特定基于時(shí)間的關(guān)系的事件進(jìn)行相關(guān)，就能收集到更多的信息。有些問題只要通過時(shí)間相關(guān)就能確定。下列是基于時(shí)間的關(guān)系的例子：

● 事件B緊跟著事件A。

● 自最新一個(gè)事件B以后出現(xiàn)的第一個(gè)事件A。

● 兩分鐘內(nèi)事件A跟在事件B之后。

● 在間隔1中沒有發(fā)現(xiàn)事件A。

事件相關(guān)，就其基本形式，幾乎成為了商品化產(chǎn)品。如果你要減少事件和警報(bào)的數(shù)目，以及擁有某種水平對消除重復(fù)的拓?fù)浣Y(jié)構(gòu)的認(rèn)知，那么(事件相關(guān))是今天非常好的標(biāo)準(zhǔn)和工作。