Event Correlation Engine

Similar documents
IKR EmuLib. A Library for Seamless Integration of Simulation and Emulation. Marc Necker, Christoph Gauger [necker

Authenticated addressing in networks

Implementing a Web Client for Social Content and Task Management Master s Thesis Final Presentation , Björn Michelsen

SDR Guide to Complete the SDR

Zend Server 5.0 Code Tracing

Generating system documentation augmented with traceability information, using a central XML-based repository

CSCI Object Oriented Design: Frameworks and Design Patterns George Blankenship. Frameworks and Design George Blankenship 1

Modeling pilot project at Ericsson Expert Analytics

Master Thesis: ESB Based Automated EA Documentation

Abstractness, Specificity, and Complexity in Software Design

Safety-Critical Software Development

Cisco UCS Monitoring Resource Handbook

Performance analysis basics

Exam Questions C

Automated Operation of the Metrology Light Source Storage Ring

Design and Evaluation of User- Interfaces for Mobile Applications Development

Implementing and Monitoring Alarms and Alarm Log Correlation

High-Performance Event Processing Bridging the Gap between Low Latency and High Throughput Bernhard Seeger University of Marburg

Implementing and Monitoring Alarms and Alarm Log Correlation

Moose for Java Enterprise Application

Principles of Computer Game Design and Implementation. Lecture 3

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

TIBCO Complex Event Processing Evaluation Guide

Epilog: Further Topics

IoT Mashups with the WoTKit

The Idiot s Guide to Quashing MicroServices. Hani Suleiman

Master Project Market HS 2016

EXPRESSCLUSTER X 3.3. HA Cluster Configuration Guide for Amazon Web Services (Windows) 10/03/2016 2nd Edition

SDL. Jian-Jia Chen (slides are based on Peter Marwedel) TU Dortmund, Informatik 年 10 月 18 日. technische universität dortmund

A Capacity Planning Methodology for Distributed E-Commerce Applications

A Framework for Supporting the Workflow for Archaeo-related Sciences: Managing, Synchronizing and Analyzing Data

DEMO. The Professional Software Suite for Automatic Control Design and Forecasting. EICASLAB Demo RT-emb

IPv6 Neighbor Discovery

Lecture Notes on CASE-Tools: Together

Automated JAVA GUI Testing. Challenges and Experiences

Chapter 3: Data Mining:

Creating Software Architecture Documentation for MediaWiki Software Master s Thesis Final Presentation , Uliana Bakhtina

TECHED USER CONFERENCE MAY 3-4, 2016

esales Boost for EPiServer Partner Proposition

MutanT: A Modular and Generic Tool for Multi-Sensor Data Processing

Copyright 2018, Oracle and/or its affiliates. All rights reserved.

Programming in Visual Basic with Microsoft Visual Studio 2010

BSc Thesis Investigation of tree conflict handling in selected version control systems

Report. Valerio Bürker & Roman Hiestand. Tool für die Bewertung von Eingebetteten Systemen. Design und Integration einer Analysemethode in SymTA/S

Security Automation Best Practices

A Source Code History Navigator

PROGRAMMING IN VISUAL BASIC WITH MICROSOFT VISUAL STUDIO Course: 10550A; Duration: 5 Days; Instructor-led

EXPRESSCLUSTER X 4.0. HA Cluster Configuration Guide for Amazon Web Services (Linux) April 17, st Edition

Working with Reports. User Roles Required to Manage Reports CHAPTER

Crash course on design patterns

FROM LEGACY, TO BATCH, TO NEAR REAL-TIME. Marc Sturlese, Dani Solà

Lecture 20: Automated Fault Management

Automated Fault Management. Lecture 20: Prof. Shervin Shirmohammadi SITE, University of Ottawa. Prof. Shervin Shirmohammadi CEG

User Manual. Admin Report Kit for IIS 7 (ARKIIS)

Motivation. Map in Lisp (Scheme) Map/Reduce. MapReduce: Simplified Data Processing on Large Clusters

Disclaimer: this pdf is just the content of the sliders with no format at all. I'm using the moin-wiki slides plugin for the real slides.

Madhya Pradesh Bhoj (Open) University, Bhopal Diploma in Computer Application (DCA) Assignment Question Paper I

ERCIM Alain Bensoussan Fellowship Scientific Report

Fine-grained Software Version Control Based on a Program s Abstract Syntax Tree

CWCM Webmaster Training. Denis Bacquelaine, Technical Consultant I.R.I.S. Solutions & Experts S.A.

U-Boot Falcon Mode. Minimizing boot times using U-Boot "Falcon" mode. Stefano Babic / Wolfgang Denk. July 2012

IBM InfoSphere Streams Telecommunications Event Data Analytics Customization & Configuration

Introduction to UCS Faults

Microsoft SQL Server Fix Pack 15. Reference IBM

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

Implementation Guide - VPN Network with Static Routing

Securing IPv6 Networks: ft6 & friends. Oliver Eggert, Simon Kiertscher

WebNMS White Paper Motorola (NSN) Element Manager HRPDA (EMH)

Service Composition for Active Networks

Avaya_ Number: 3308 Passing Score: 800 Time Limit: 120 min File Version: 4.0

Graph analytics approach to analyse Enterprise Architecture models

TIBCO BWPM Client - Release Notes

TIBCO LogLogic Unity Release Notes

Automated Unit Testing A Practitioner's and Teacher's Perspective

A Browser Developer's Research Wish List. Robert O'Callahan Mozilla Corporation

IBM Application Performance Analyzer for z/os Version IBM Corporation

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Igniting QuantLib on a Zeppelin

Quickly Pinpoint and Resolve Problems in Windows /.NET Applications TECHNICAL WHITE PAPER

FSMs & message passing: SDL

BuildPal Documentation

Configuring ACL Logging

Location-Based Web Services for Car Infotainment

Using Natural Language Processing and Machine Learning to Assist First-Level Customer Support for Contract Management

IBM Europe Announcement ZP , dated November 6, 2007

The flow of data must not be allowed to overwhelm the receiver

CENTRIX Condition Monitoring

Vendor: Citrix. Exam Code: 1Y Exam Name: Managing Citrix XenDesktop 7.6 Solutions. Version: Demo

Help! My Birthday Reminder Wants to Brick My Phone!

Carrier grade VoIP systems with Kamailio

Frequently Asked Questions (FAQ)

Systematic Cooperation in P2P Grids

Vampir and Lustre. Understanding Boundaries in I/O Intensive Applications

M2M CDMA Router. VRRP Configuration Guide

Magdalena Blöckner. 'building in a box' an experience prototyping toolkit to reveal design needs for interactive multimedia facades

An Improved Markov Model Approach to Predict Web Page Caching


Tasktop Sync - Cheat Sheet

Oracle Database 11g: New Features for Administrators DBA Release 2

StreamSets Control Hub Installation Guide

Transcription:

Event Correlation Engine Master s Thesis Final Presentation Andreas Müller Tutors: Christoph Göldi, Bernhard Tellenbach Supervisor: Prof. B. Plattner Institut für Technische Informatik und Kommunikationsnetze

1 Introduction 2 Motivation and Task 3 Approach 4 Conclusions 5 Demo

1 Introduction Event Correlation 2 Motivation and Task 3 Approach 4 Conclusions 5 Demo

Event Correlation Event Correlation Event Any occurrence; anything, which happened Computing: message, what happened when Correlation: analysis of co-relations Goal: gain higher-level knowledge Applications Market data analysis Algorithmic trading Fraud detection System log analysis Network management Event Correlation Engine (ECE) Application or toolkit to correlate events

1 Introduction 2 Motivation and Task Background Motivation and Task 3 Approach 4 Conclusions 5 Demo

Background Background Master s thesis at Open Systems AG Open Systems provides managed security for customers around the world, operating a global network with more than 1500 hosts Setup Hosts generate events from syslog messages and network observations, e.g.: Network link down CPU load high Events end up in tickets, which are handled manually

Motivation and Task Problems Handling all events manually is time consuming and cumbersome Simple problems create too many events, important events may be overlooked Same problem has to be handled again and again How to mitigate these problems? Intelligently pre-process the events with an ECE Task Choose or design, implement and evaluate an ECE suitable to extend the ticketing system of Open Systems

1 Introduction 2 Motivation and Task 3 Approach Event Pattern Analysis Analysis of Existing Approaches Specification and Implementation Testing and Evaluation 4 Conclusions 5 Demo

Event Pattern Analysis Pattern Analysis: Goals Qualitative and quantitative overview of events Identification of frequent patterns Statistical analysis E.g. event rate: Average: 1-2 events per minute Peaks: Up to 900 events per minute Pattern identification E.g. temporal correlation (next slide)

Event Pattern Analysis: Temporal Correlation

Analysis of Existing Approaches Correlation Approach Decisions of the correlation engine should be reproducible and understandable for humans Rule-based approach most suitable Finite-state machine would be suitable for some patterns Allow regular expressions on events Existing Software No suitable software found Many concepts can be reused, e.g.: Dynamic contexts Combination of simple building blocks into powerful rules

Specification Requirements and design decisions Rule language should be easy to learn XML based rules Local and global correlation should be possible Tree of homogeneous correlation nodes Implementation Functional programming to build rule functions from simple components Rapid prototyping was valued higher than execution speed Implemented in Python

Implementation: Node Tree Rule repository Logging Event sources Preprocessing, Local correlation Root node, Global correlation Tree of correlation nodes Ticketing Alerting Event sinks

Implementation: Functional Overview Event cache Local rule repository Event and Information flow Input events Sources & Translators Input queue Core Condition & Action plugins Output queue Translator & Sink Output events

Testing and Evaluation Testing and evaluation methods Profiling Unit tests Sanity checks Evaluation with random events Evaluation with replayed real events

1 Introduction 2 Motivation and Task 3 Approach 4 Conclusions Conclusions Outlook 5 Demo

Conclusions Strengths Functional programming allows to build rule functions at startup No need for (slow and hard to debug) eval() during operation Regular expressions to match patterns suitable for FSMs As powerful as FSMs, but better known and easier to use Cache automatically decides how long to keep an event Aptitude for real-world events Events of one month can be processed in < 10 minutes Real-time operation no problem Simple compression can reduce the event volume by > 50% Successful detection of complex patterns E.g. detection of successful failover transition with regexp

Outlook Future development Support for rule creation (e.g. pattern mining, GUI tools) Central rule database with target scopes for each rule group Rule applies to all hosts in country X Reducing complexity

1 Introduction 2 Motivation and Task 3 Approach 4 Conclusions 5 Demo Example Problem Correlation Approach

Demo: Example Problem Example: Irrelevant IP theft events Standby firewall becomes master, while primary firewall is still up Firewalls detect second host with same IP address Events indicating IP address theft Duplicate master is also detected Corresponding event often generated after IP theft event It is sufficient to solve the root problem (duplicate master) IP address theft events are of no interest

Demo: Correlation Approach Correlation behaviour Demo Event indicating a duplicate master Represent this knowledge as context Suppress IP theft events from same host during last minute As long as context exists, suppress further IP theft events Event indicating duplicate master is gone Remove context Real events with anonymized host names One correlation node First run: without correlation rules Second run: rules with behaviour explained above

Questions? Thank you for your attention.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback