{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:19:36Z","timestamp":1754158776483,"version":"3.41.2"},"reference-count":42,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2019,8,28]],"date-time":"2019-08-28T00:00:00Z","timestamp":1566950400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2019,8,28]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to propose a mobile agent-based security information and event management architecture (MA-SIEM) that uses mobile agents for near real-time event collection and normalization on the source device. The externalization of the normalization process, executed by several distributed mobile agents on interconnected computers and devices, proposes a SIEM server dedicated mainly for correlation and analysis.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>The architecture has been proposed in three stages. In the first step, the authors described the different aspects of the proposed approach. Then they implemented the proposed architecture and presented a new vision for the insertion of normalized data into the SIEM database. Finally, the authors performed a numerical comparison between the approach used in the proposed architecture and that of existing SIEM systems.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The results of the experiments showed that MA-SIEM systems are more efficient than existing SIEM systems because they leave the SIEM resources primarily dedicated to advanced correlation analysis. In addition, this paper takes into account realistic scenarios and use-cases and proposes a fully automated process for transferring normalized events in near real time to the SIEM server for further analysis using mobile agents.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>The work provides new insights into the normalization security-related events using light mobile agents.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-01-2019-0008","type":"journal-article","created":{"date-parts":[[2019,9,25]],"date-time":"2019-09-25T10:57:24Z","timestamp":1569409044000},"page":"15-34","source":"Crossref","is-referenced-by-count":3,"title":["Mobile agent-based SIEM for event collection and normalization externalization"],"prefix":"10.1108","volume":"28","author":[{"given":"Nabil","family":"Moukafih","sequence":"first","affiliation":[]},{"given":"Ghizlane","family":"Orhanou","sequence":"additional","affiliation":[]},{"given":"Said","family":"Elhajji","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020040311053715000_ref001","unstructured":"AlienVault (2018), \u201cAlienVault OSSIM\u201d, available at: www.alienvault.com\/products\/ossim"},{"key":"key2020040311053715000_ref002","unstructured":"ArcSight Enterprise Security Manager (ESM) (2018), available at: https:\/\/software.microfocus.com\/en-us\/products\/siem-security-information-event-management\/overview"},{"article-title":"Pushing the limits in event normalisation to improve attack detection in IDS\/SIEM systems","volume-title":"2013 International Conference on Advanced Cloud and Big Data","year":"2013","key":"key2020040311053715000_ref003"},{"article-title":"Multi-agent integrated password management (MIPM) application secured with encryption","volume-title":"Presented at the The 2nd International Conference on Applied Science and Technology 2017 (ICAST\u201917)","year":"2017","key":"key2020040311053715000_ref004"},{"volume-title":"Developing Multi-Agent Systems with JADE","year":"2007","key":"key2020040311053715000_ref005"},{"volume-title":"Mobile Agents: basic Concepts, Mobility Models, and the Tracy Toolkit","year":"2005","key":"key2020040311053715000_ref006"},{"key":"key2020040311053715000_ref007","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1016\/j.cose.2018.01.023","article-title":"A novel architecture combined with optimal parameters for back propagation neural networks applied to anomaly network intrusion detection","volume":"75","year":"2018","journal-title":"Computers and Security"},{"volume-title":"Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management","year":"2013","key":"key2020040311053715000_ref008"},{"issue":"3","key":"key2020040311053715000_ref009","doi-asserted-by":"crossref","first-page":"424","DOI":"10.1080\/19361610.2017.1315760","article-title":"Analysis of KDD CUP dataset using multi-agent methodology with effective fuzzy based intrusion detection system","volume":"12","year":"2017","journal-title":"Journal of Applied Security Research"},{"article-title":"Adaptive push based data collection method for online performance monitoring","volume-title":"2011 National Conference on Communications (NCC)","year":"2011","key":"key2020040311053715000_ref010"},{"key":"key2020040311053715000_ref011","first-page":"433","article-title":"Analysis of neural network training and cost functions impact on the accuracy of IDS and SIEM systems","volume-title":"Codes, Cryptology and Information Security","year":"2019"},{"volume-title":"Mastering Regular Expressions","year":"2006","key":"key2020040311053715000_ref012"},{"key":"key2020040311053715000_ref013","unstructured":"Honeynet Project (2005), \u201cScan of the month 34\u201d, available at: http:\/\/old.honeynet.org\/scans\/scan34\/"},{"article-title":"Speed\/accuracy trade-offs for modern convolutional object detectors","volume-title":"2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR)","year":"2017","key":"key2020040311053715000_ref014"},{"key":"key2020040311053715000_ref015","unstructured":"Intersect Alliance International (2014), \u201cAgent vs agentless log collection\u201d, available at: www.intersectalliance.com\/wp-content\/uploads\/2014\/09\/AgentsvsAgentless.pdf"},{"key":"key2020040311053715000_ref016","unstructured":"IBM. (2018), \u201cSecurity QRadar SIEM\u201d, available at: www.ibm.com\/usen\/marketplace\/ibm-qradar-siem"},{"key":"key2020040311053715000_ref017","first-page":"237","article-title":"Normalizing security events with a hierarchical knowledge base","volume-title":"Information Security Theory and Practice","year":"2015"},{"article-title":"Accelerating event processing for security analytics on a distributed in-memory platform","volume-title":"2018 IEEE 16th International Conference on Dependable, Autonomic and Secure Computing, 16th International Conference on Pervasive Intelligence and Computing, 4th International Conference on Big Data Intelligence and Computing and Cyber Science and Technology Congress (DASC\/PiCom\/DataCom\/CyberSciTech)","year":"2018","key":"key2020040311053715000_ref018"},{"article-title":"Parallel and distributed normalization of security events for instant attack analysis","volume-title":"2015 IEEE 34th International Performance Computing and Communications Conference (IPCCC)","year":"2015","key":"key2020040311053715000_ref019"},{"key":"key2020040311053715000_ref020","unstructured":"Kavanagh, K.M. and Rochford, O. (2015), \u201cMagic quadrant for security information and event management\u201d, Technical Report, Gartner."},{"key":"key2020040311053715000_ref021","unstructured":"Kelly, M.K. and Toby, B. (2017), \u201cMagic quadrant for security information and event management\u201d, available at: www.softshell.ag\/wpcontent\/uploads\/2017\/12\/magicquadrantforsecurity315428.pdf"},{"issue":"6","key":"key2020040311053715000_ref022","first-page":"1074","article-title":"Network alert management based on multi agent systems for surveillance and supervising software and hardware components","volume":"9","year":"2014","journal-title":"International Review on Computers and Software"},{"issue":"5","key":"key2020040311053715000_ref023","doi-asserted-by":"crossref","first-page":"427","DOI":"10.14257\/ijsia.2014.8.5.37","article-title":"Contextual security with IF-MAP","volume":"8","year":"2014","journal-title":"International Journal of Security and Its Applications"},{"volume-title":"Security Information and Event Management (SIEM) Implementation","year":"2011","key":"key2020040311053715000_ref024"},{"volume-title":"Intelligent Agents for Data Mining and Information Retrieval","year":"2004","key":"key2020040311053715000_ref025"},{"article-title":"SIEM selection criteria for an efficient contextual security","volume-title":"2017 International Symposium on Networks, Computers and Communications (ISNCC)","year":"2017","key":"key2020040311053715000_ref026"},{"key":"key2020040311053715000_ref027","unstructured":"Oliver, R. Kelly, M.K. and Toby, B. (2016), \u201cMagic quadrant for security and information and event management\u201d, Gartner, available at: www.gartner.com\/doc\/3406817\/magic-quadrant-security-information-event"},{"key":"key2020040311053715000_ref028","doi-asserted-by":"crossref","unstructured":"Orhanou, G., Lakbabi, A., Moukafih, N. and El Hajji, S. (2018), \u201cNetwork access control and collaborative security against APT and AET. In security and privacy in smart sensor networks\u201d, IGI Global, pp. 201-230, available at: https:\/\/doi.org\/10.4018\/978-1-5225-5736-4.ch010","DOI":"10.4018\/978-1-5225-5736-4.ch010"},{"year":"2011","key":"key2020040311053715000_ref029","article-title":"The best practices report big data analytics"},{"issue":"4","key":"key2020040311053715000_ref030","doi-asserted-by":"crossref","first-page":"15","DOI":"10.1145\/1293731.1293735","article-title":"Specifying protocols for multi-agent systems interaction","volume":"2","year":"2007","journal-title":"ACM Transactions on Autonomous and Adaptive Systems"},{"key":"key2020040311053715000_ref031","unstructured":"Rainer, G. (2009), \u201cThe syslog protocol. RFC 5424\u201d, available at: www.ietf.org\/rfc\/rfc5424.txt"},{"key":"key2020040311053715000_ref032","unstructured":"RSA Envision (2018), available at: www.rsa.com\/en-us\/products\/threat-detection-response\/siem-security-information-event-management"},{"article-title":"Hierarchical object log format for normalisation of security events","volume-title":"2013 9th International Conference on Information Assurance and Security (IAS)","year":"2013","key":"key2020040311053715000_ref033"},{"key":"key2020040311053715000_ref034","unstructured":"Shenk, J. (2014), \u201cNinth log management survey report\u201d, Technical Report, SANS Institute."},{"article-title":"sKyWIper (a.k.a flame a.k.a. Flamer): a complex malware for targeted attacks","year":"2012","author":"Skywiper Analysis Team","key":"key2020040311053715000_ref035"},{"key":"key2020040311053715000_ref036","doi-asserted-by":"crossref","first-page":"145","DOI":"10.1016\/j.inffus.2013.04.009","article-title":"Providing SIEM systems with self-adaptation","volume":"21","year":"2015","journal-title":"Information Fusion"},{"article-title":"Identifying suspicious user behavior with neural networks","volume-title":"2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud)","year":"2017","key":"key2020040311053715000_ref037"},{"issue":"1","key":"key2020040311053715000_ref038","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.jss.2004.08.017","article-title":"Towards the automatic generation of mobile agents for distributed intrusion detection system","volume":"79","year":"2006","journal-title":"Journal of Systems and Software"},{"volume-title":"An Introduction to Multiagent Systems","year":"2009","key":"key2020040311053715000_ref039"},{"key":"key2020040311053715000_ref040","first-page":"25","article-title":"Mobile agents: are they a good idea","volume-title":"Lecture Notes in Computer Science","year":"1997"},{"key":"key2020040311053715000_ref041","unstructured":"Darren, N. and Rose, M. (2001), \u201cReliable delivery for syslog. RFC 3195\u201d, available at: www.ietf.org\/rfc\/rfc3195.txt"},{"key":"key2020040311053715000_ref042","first-page":"1","article-title":"Mobile agent for distributed intrusion detection system in distributed system","volume-title":"2010 International Journal of Artificial Intelligence and Computational Research (IJAICR)","year":"2010"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2019-0008\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-01-2019-0008\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:35Z","timestamp":1753406555000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/28\/1\/15-34\/108422"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,8,28]]},"references-count":42,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2019,8,28]]}},"alternative-id":["10.1108\/ICS-01-2019-0008"],"URL":"https:\/\/doi.org\/10.1108\/ics-01-2019-0008","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"type":"print","value":"2056-4961"},{"type":"print","value":"2056-4961"}],"subject":[],"published":{"date-parts":[[2019,8,28]]}}}