oa E-government Alerts Correlation Model

Background & Objectives Qatar's IT infrastructure is rapidly growing to encompass the evolution of businesses and economical growth the country is increasingly witnessing throughout its industries. It is now evident that the country's e-government requirements and associated data management systems are becoming large in number, highly dynamic in nature, and exceptionally attractive for cybercrime activities. Protecting the sensitive data e-government portals are relying on for daily activities is not a trivial task. The techniques used to perform cybercrimes are becoming sophisticated relatively with the firewalls protecting them. Reaching high-level of data protection, in both wired and wireless networks, in order to face recent cybercrime approaches is a challenge that is continuously proven hard to achieve. In a common IT infrastructure, the deployed network devices contain a number of event logs that reside locally within its memory. These logs are in large numbers, and therefore, analyzing them is a time consuming task for network administrators. In addition, a single network event often generates a redundancy of similar event logs that belong to the same class within short time intervals. This makes it difficult to manage them during forensics investigation. In most cybercrime cases, a single alert log does not contain sufficient information about malicious actions background and invisible network attackers. The information for a particular malicious action or attacker is often distributed among multiple alert logs and among multiple network devices. Forensic investigators mission is to reconstruct incident scenarios is now very complex considering the number as well as the quality of these event logs. Methods My research will focus on involving mathematics and algorithm science for each proposed sub models in the alerts correlation model. After collecting alert logs from network sensors; then it will be stored in the alert logs warehouse. The stored alert log contains redundancy data and irrelevant information. The alert correlation model used to filter out all redundancy data and irrelevant information from the alert logs. This model contains two stages; format standardization and redundancy management. The format standardization process aims unified different event logs format into one format, while the redundancy management process aims to reduce the duplication of the single event. Furthermore, this research will try to utilized criminology science to enhance security level of the proposed model and forensics experiments tools to validate the proposal approach. Results In response to attacks and potential of attacks against network infrastructure and assets, my research focuses on how to build an organized legislative e-government environment. The idea of this approach is to forensically utilize the current network security output by collect, analysis and present evidence of network attack in an efficient manner. After data mining process we can utilize our preprocessing results for e-government awareness purpose. Conclusions This research proposed Qatar e-government alerts correlation model. The proposed model used to process and normalize the captured network event logs. The main point of designing the model is to find a way to forensically visualize the evidence and attack scenario in e-government infrastructure.