SecurityEventsCorrelation

An example project that contains submodules that implement two methods for security events correlation. The two data input streams for the project, InVirusAlerts and InIDSAlerts, simulate alerts coming from a virus detection system and an intrusion detection system, respectively.

The SecurityPatterns submodule uses the CCL pattern (MATCHING clause) syntax to detect a series of events arriving in the InVirusAlerts and InIDSAlerts streams. An alert is issued if the pattern is detected.

The SecuritySimpleJoin submodule uses a simple join to detect possible intrusions into the system. The query looks for common SourceIP addresses from which attacks originate. This is accomplished by using the following query structure:

INSERT INTO OutRepeatAttackAlerts 
SELECT I1.SourceIP AS SourceIP,
      I1.AttackKind AS AttackKind,
      V1.Virus AS Virus, 
FROM   InIDSAlerts KEEP 30 SECONDS AS I1,
      InVirusAlerts KEEP 30 SECONDS AS V1 
WHERE  I1.SourceIP=V1.SourceIP 
FROM   InIDSAlerts As I1 KEEP 30 SECONDS,
      InVirusAlerts As V1 KEEP 30 SECONDS 
WHERE  I1.SourceIP=V1.SourceIP ;
Parent topic: Network and Security Examples

Created March 8, 2010. Send feedback on this help topic to Sybase Technical Publications: pubs@sybase.com