Improving SIEM capabilities through an enhanced probe for encrypted Skype traffic detection
This work addresses security monitoring for Internet Service Providers by enhancing encrypted traffic detection, but it appears incremental as it builds on existing SIEM frameworks.
The authors tackled the problem of detecting encrypted Skype traffic in SIEM systems by proposing an enhanced probe (ESkyPRO) that uses machine learning to improve accuracy, though no concrete numbers are provided.
Nowadays, the Security Information and Event Management (SIEM) systems take on great relevance in handling security issues for critical infrastructures as Internet Service Providers. Basically, a SIEM has two main functions: i) the collection and the aggregation of log data and security information from disparate network devices (routers, firewalls, intrusion detection systems, ad hoc probes and others) and ii) the analysis of the gathered data by implementing a set of correlation rules aimed at detecting potential suspicious events as the presence of encrypted real-time traffic. In the present work, the authors propose an enhanced implementation of a SIEM where a particular focus is given to the detection of encrypted Skype traffic by using an ad-hoc developed enhanced probe (ESkyPRO) conveniently governed by the SIEM itself. Such enhanced probe, able to interact with an agent counterpart deployed into the SIEM platform, is designed by exploiting some machine learning concepts. The main purpose of the proposed ad-hoc SIEM is to correlate the information received by ESkyPRO and other types of data obtained by an Intrusion Detection System (IDS) probe in order to make the encrypted Skype traffic detection as accurate as possible.