MiniSIEM: A Log Analysis & Security Monitoring System

Cybercriminals now have access to a much larger attack surface due to the ever-increasing reliance on internet-connected devices. This has resulted in an increase in network-based attacks such as port scanning, brute-force logins, distributed denial-of-service attacks, and attempts to gain unauthorized access [1]. Firewalls usually serve as a first line of defence for most networks, however, they generate a lot of log data which is not often properly analysed due to difficulties with manual analysis [6]. The objective of this study is to design and implement a Firewall Security Analytics System that will collect and analyse firewall logs to identify potentially malicious network activity, classify the attacks, and provide real-time monitoring of security events. The general design includes a client-server architecture using a Flask backend and a React-based Security Operations Center (SOC) dashboard. The firewall logs are collected from an Ubuntu server using SSH-based secure log ingestion into a structured database format. The classification of attack patterns is accomplished by an analysis engine that utilizes rules to determine whether or not an event is suspicious (for example: port scanning, brute-force attempts, and abnormal connection activity). If a security threshold is exceeded, an alerts engine will generate an alert to notify the administrator. In addition, the solution includes a dashboard where real-time analytics can be viewed to visualize current attacks on the network. Ultimately, the results indicate that the proposed platform is able to convert raw data from firewalls into action-based intelligence about the state of your network, giving the administrator a better understanding of the current status of their network, allowing for faster detection of potential threats.