Optimizing SIEM Throughput on the Cloud Using Parallelization

Processing large amounts of data in real time for identifying security issues pose several performance challenges, especially when hardware infrastructure is limited. Managed Security Service Providers (MSSP), mostly hosting their applications on the Cloud, receive events at a very high rate that va...

Descripción completa

Detalles Bibliográficos
Autores principales: Alam, Masoom, Ihsan, Asif, Khan, Muazzam A., Javaid, Qaisar, Khan, Abid, Manzoor, Jawad, Akhundzada, Adnan, Khan, M Khurram, Farooq, Sajid
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Public Library of Science 2016
Materias:
Research Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5112783/
https://www.ncbi.nlm.nih.gov/pubmed/27851762
http://dx.doi.org/10.1371/journal.pone.0162746
_version_ 1782468072580317184
author Alam, Masoom
Ihsan, Asif
Khan, Muazzam A.
Javaid, Qaisar
Khan, Abid
Manzoor, Jawad
Akhundzada, Adnan
Khan, M Khurram
Farooq, Sajid
author_facet Alam, Masoom
Ihsan, Asif
Khan, Muazzam A.
Javaid, Qaisar
Khan, Abid
Manzoor, Jawad
Akhundzada, Adnan
Khan, M Khurram
Farooq, Sajid
author_sort Alam, Masoom
collection PubMed
description Processing large amounts of data in real time for identifying security issues pose several performance challenges, especially when hardware infrastructure is limited. Managed Security Service Providers (MSSP), mostly hosting their applications on the Cloud, receive events at a very high rate that varies from a few hundred to a couple of thousand events per second (EPS). It is critical to process this data efficiently, so that attacks could be identified quickly and necessary response could be initiated. This paper evaluates the performance of a security framework OSTROM built on the Esper complex event processing (CEP) engine under a parallel and non-parallel computational framework. We explain three architectures under which Esper can be used to process events. We investigated the effect on throughput, memory and CPU usage in each configuration setting. The results indicate that the performance of the engine is limited by the number of events coming in rather than the queries being processed. The architecture where 1/4th of the total events are submitted to each instance and all the queries are processed by all the units shows best results in terms of throughput, memory and CPU usage.
format Online
Article
Text
id pubmed-5112783
institution National Center for Biotechnology Information
language English
publishDate 2016
publisher Public Library of Science
record_format MEDLINE/PubMed
spelling pubmed-51127832016-12-08 Optimizing SIEM Throughput on the Cloud Using Parallelization Alam, Masoom Ihsan, Asif Khan, Muazzam A. Javaid, Qaisar Khan, Abid Manzoor, Jawad Akhundzada, Adnan Khan, M Khurram Farooq, Sajid PLoS One Research Article Processing large amounts of data in real time for identifying security issues pose several performance challenges, especially when hardware infrastructure is limited. Managed Security Service Providers (MSSP), mostly hosting their applications on the Cloud, receive events at a very high rate that varies from a few hundred to a couple of thousand events per second (EPS). It is critical to process this data efficiently, so that attacks could be identified quickly and necessary response could be initiated. This paper evaluates the performance of a security framework OSTROM built on the Esper complex event processing (CEP) engine under a parallel and non-parallel computational framework. We explain three architectures under which Esper can be used to process events. We investigated the effect on throughput, memory and CPU usage in each configuration setting. The results indicate that the performance of the engine is limited by the number of events coming in rather than the queries being processed. The architecture where 1/4th of the total events are submitted to each instance and all the queries are processed by all the units shows best results in terms of throughput, memory and CPU usage. Public Library of Science 2016-11-16 /pmc/articles/PMC5112783/ /pubmed/27851762 http://dx.doi.org/10.1371/journal.pone.0162746 Text en © 2016 Alam et al http://creativecommons.org/licenses/by/4.0/ This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/) , which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
spellingShingle Research Article
Alam, Masoom
Ihsan, Asif
Khan, Muazzam A.
Javaid, Qaisar
Khan, Abid
Manzoor, Jawad
Akhundzada, Adnan
Khan, M Khurram
Farooq, Sajid
Optimizing SIEM Throughput on the Cloud Using Parallelization
title Optimizing SIEM Throughput on the Cloud Using Parallelization
title_full Optimizing SIEM Throughput on the Cloud Using Parallelization
title_fullStr Optimizing SIEM Throughput on the Cloud Using Parallelization
title_full_unstemmed Optimizing SIEM Throughput on the Cloud Using Parallelization
title_short Optimizing SIEM Throughput on the Cloud Using Parallelization
title_sort optimizing siem throughput on the cloud using parallelization
topic Research Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5112783/
https://www.ncbi.nlm.nih.gov/pubmed/27851762
http://dx.doi.org/10.1371/journal.pone.0162746
work_keys_str_mv AT alammasoom optimizingsiemthroughputonthecloudusingparallelization
AT ihsanasif optimizingsiemthroughputonthecloudusingparallelization
AT khanmuazzama optimizingsiemthroughputonthecloudusingparallelization
AT javaidqaisar optimizingsiemthroughputonthecloudusingparallelization
AT khanabid optimizingsiemthroughputonthecloudusingparallelization
AT manzoorjawad optimizingsiemthroughputonthecloudusingparallelization
AT akhundzadaadnan optimizingsiemthroughputonthecloudusingparallelization
AT khanmkhurram optimizingsiemthroughputonthecloudusingparallelization
AT farooqsajid optimizingsiemthroughputonthecloudusingparallelization

Ejemplares similares