http://blog.clearnetsec.com/articles/tag/complexevents en-us 40 <p> It’s hard to build a decision support system based on partial views of the world. </p> <p> My goal is to identify interesting events on a network and to prioritize those events based on sets of attributes. Yes, there are lots of products that do this. But most focus on a slice of the world (e.g. an IDS fires an alert based on a regex match on a single packet). And that is boring. </p> <p> Doing it for the whole world is where the action is at. </p> <p> Capture an alert fired from an IDS, check netflow for a session, note a “first-time” event recorded in a syslog message, mix in statistical data mining and learning techniques – and do it all in near real time. This is how things get interesting. </p> <p> Unfortunately it’s hard to get complete visibility (i.e. get all syslog, all netflow, all application logs, etc.). There must be a point though where I can get enough information to successfully prioritize interesting events. I’m not sure exactly where that’s at, but it’s a fun problem to work on. </p> <p> <i>The picture is of the inside of IT-Universitetet in Copenhagen where I’m working for a few weeks. The meeting rooms all jet out into the open space in the middle – a pretty cool design.</i> </p> <img src="http://blog.clearnetsec.com/files/itu.gif"> Sat, 30 Jun 2007 15:56:00 -0600 urn:uuid:4ea21165-d129-4503-b259-01fdc1539e54 tate@ClearNetSec.com (Tate Hansen) http://blog.clearnetsec.com/articles/2007/06/30/building-a-better-security-events-system security ClearNet ClearNet Security Tate Hansen ids alerts events complex events