Abstract Today’s information networks face increasingly sophisticated and persistent threats, where new threat tools and vulnerability exploits often outpace advancements in intrusion detection systems. Current detection systems often create too many alerts, which contain insufficient data for analysts. As a result, the vast majority of alerts are ignored, contributing to security breaches that might otherwise have been prevented. Security Information and Event Management (SIEM) software is a recent development designed to improve alert volume and content by correlating data from multiple sensors. However, insufficient SIEM configuration has thus far limited the promise of SIEM software for improving intrusion detection. The focus of our research is the implementation of a hybrid kill-chain framework as a novel configuration of SIEM software. Our research resulted in a new log ontology capable of normalizing security sensor data in accordance with modern threat research. New SIEM correlation rules were developed using the new log ontology, and the effectiveness of the new configuration was tested against a baseline configuration. The novel configuration was shown to improve detection rates, give more descriptive alerts, and lower the number of false positive alerts.

中文翻译：

---

使用基于杀伤链的新型分类模型改进 SIEM 警报元数据聚合

摘要 当今的信息网络面临着日益复杂和持续的威胁，其中新的威胁工具和漏洞利用往往超过入侵检测系统的进步。当前的检测系统通常会创建过多的警报，其中包含的数据不足以供分析人员使用。结果，绝大多数警报都被忽略了，从而导致了本来可以避免的安全漏洞。安全信息和事件管理 (SIEM) 软件是最近开发的，旨在通过关联来自多个传感器的数据来改善警报量和内容。然而，迄今为止，SIEM 配置不足限制了 SIEM 软件改进入侵检测的前景。我们研究的重点是将混合杀伤链框架实现为 SIEM 软件的一种新颖配置。我们的研究产生了一种新的日志本体，能够根据现代威胁研究对安全传感器数据进行规范化。使用新的日志本体开发了新的 SIEM 关联规则，并根据基线配置测试了新配置的有效性。新的配置被证明可以提高检测率，提供更多描述性警报，并减少误报警报的数量。