UCLog+ : A Security Data Management System for Correlating Alerts, Incidents, and Raw Data From Remote Logs

Source data for computer network security analysis takes different forms (alerts, incidents, logs) and each source may be voluminous. Due to the challenge this presents for data management, this has often lead to security stovepipe operations which focus primarily on a small number of data sources for analysis with little or no automated correlation between data sources (although correlation may be done manually). We seek to address this systemic problem. In previous work we developed a unified correlated logging system (UCLog) that automatically processes alerts from different devices. We take this work one step further by presenting the architecture and applications of UCLog+ which adds the new capability to correlate between alerts and incidents and raw data located on remote logs. UCLog+ can be used for forensic analysis including queries and report generation but more importantly it can be used for near-real-time situational awareness of attack patterns in progress. The system, implemented with open source tools, can also be a repository for secure information sharing by different organizations.