Resource Analysis of the Log Files Storage Based on Simulation Models in a Virtual Environment

Abstract

In order to perform resource analyses, we here offer an experimental stand on virtual machines. The concept of how to measure the resources of each component is proposed. In the case of system design, you can estimate how many resources to reserve, and if external modules are installed in an existing system, you can assess whether there are enough resources and whether the system can scale. This is especially important for large software systems with web services. The dataset contains a set of experimental data and the configuration of virtual servers of the experiment in order to conduct resource analyses of the logs.

1. Introduction

SIEM systems are a developing area in the field of computer security. However, incorporating a new storage component into computing infrastructure is often difficult. In this situation, a system administrator needs to know how many resources are required for a particular SIEM component.

A significant amount of modern research has been devoted to the development of SIEM system architectures [1,2], the identification of threat sources and mechanisms for their detection in distributed systems [3,4,5], to block malicious traffic from IoT devices [6], and to research intellectual data processing from several sources [7,8], using event classification methods [9,10]. Other research directions are dedicated to the extraction of data that are applicable for access control [5,11,12], in the analysis of user behavior [13], and for computer security specific situations in different environments (e.g., IoT, smart cities) [11,14,15].

In modern research, considerable attention is paid to the architecture of computing systems when introducing access control tools. The consideration of security issues in the organization of access control, separately from the computing complex for high-load multi-user services (diagram shown in Figure 1) entails the problems of choosing and configuring network and server equipment and the parameters of data storage systems [16,17]. Additional security measures might have an impact on computing system resource efficiency, so it is reasonable to evaluate the impact prior to production deployment of a particular SIEM component. Thus, the aim of the study is to select tools and models that provide a solution to the problems of building a computing system architecture for web services that implement resource-efficient technological solutions.

Specific features of the use of web portals, web services, and mobile applications is the impossibility of determining the intensity of user requests of the complete infrastructure itself (since it is not possible to determine all stages of signal transmission through networks since this includes providers’ servers caching data processing servers and other network equipment not connected in any way to the designed computing complex). In addition, existing commercial SIEM solutions analyze access at the level of the network [18] and data center servers, which excludes a number of important points that require control, including those associated with user behavior on client devices, and these data can only be obtained at the level of developed software. All this requires the development of a specialized architecture, methods, and models for the research object under consideration.

Resource efficiency can be analyzed with approaches such as algorithm complexity analysis [19] and benchmarking [20]. The former can provide information on the execution time of an algorithm, yet it is hardly applicable for the analysis of complex software systems. The latter is a well-known approach for software resource efficiency analysis, yet it does not consider the specifics of computing infrastructure nor the planned volume of data requests. To solve the problem of building an efficient computing service architecture, considering the given specifics, it is necessary to develop a methodology for simulation modeling to assess the values of the component parameters of the SIEM system.

2. Materials and Methods

The task of building an architecture is to build a set of components that implement SIEM and their interconnections, so that there is an opportunity to assess their resource efficiencies. In other words, for the flow of user requests, x, to a web service and for the component, $Z_i$, of the architecture, $V$, the following can be estimated:

$$Z_i\subset V:x\stackrel{\Phi }{\to }{R}_i,i=\overline{1,q},$$

(1)

where $R_i={\mathbb{R}}^n$ is the vector of the measured computing resources; n is the dimensionality of this vector; $\Phi$ is a mapping such that parameter $R_i$ is measurable for the observed process (x). That is, the architecture must ensure that the $\Phi$ mapping is identifiable for a given stream of events. This can be achieved by implementing the dependency of each component on the input stream and the ability to measure resources.

To estimate the resources ($R_i$) in expression (1), due to the structural transparency of the architecture, simulation modeling can be used. In a number of works devoted to the construction of the mathematical models of web-portal processes, it is shown that stochastic processes describing user access can be identified based on typical requests. However, the use of the dynamic stochastic models used in these works does not seem appropriate for solving the problems of assessing the resource efficiency of the components of the access control architecture. In general, dynamic models are widely used to build traffic models. To estimate resources, there is no need to build accurate predictive models of processes, since the sought-after values of the stocks of computing resources depend only on the range and intensity of processes, which can be implemented via simulation of a random variable with a given distribution function. Note that, when using public networks with the TCP/IP protocol, due to the limited channel, an increase in the frequency of requests is observed in the histogram in the area of the upper boundary, which is associated with re-sent non-missed packets, that is, heavy-tailed distributions are observed.

A method for analyzing the costs of computing resources for the implementation of access control systems has been developed, based on an approach that uses virtual stands that provide a simulation environment that uses a computing complex at each level of access control. The technique consists of seven steps:

• The building of a typical user request.
• Implementation of an access control system with the means for data flow control, generated by a typical request.
• Creation of a virtual experimental stand that simulates an environment for using architecture components.
• Formation of a random signal with a given distribution law based on typical user requests.
• Obtaining estimates of the values of the resources required to use the access control system.
• In the case of solving the problem of choosing options for the implementation of CA means, the selection of options that have lower resource costs.
• Formation of the architecture of the computing complex, taking the obtained values of the costs of computing resources into account.

Consider, for example, the problem of evaluating computational costs when recording events in a database while working with web services over computer networks with logging user actions. It is assumed that the recording of user actions will be carried out in the event log. For each device, keeping a record of the activity log is proposed. For experimental research, we will use the following data: the volume of the original data file is 460 MB without formatting and the file contains records in a semi-structured JSON format.

Before starting the experiment, three virtual machines (VM) (client, server, and database) with specified characteristics were created. VirtualBox was utilized as a hypervisor for the task. RAM and CPU allocation policies were left at default settings. For repeated experiments, previously created VMs were deleted and then created anew to ensure the exact same experimental conditions between repetitions. VM management was conducted using Vagrant, while VM provisioning was implemented with Ansible. The host machine hardware was as follows:

• CPU—AMD Ryzen 7 3700X 8-Core Processor, 3600 MHz, 8 physical cores, 16 logical cores.
• RAM—32 Gb DDR4, frequency 1600 MHz, Dual Channel Mode.
• Disk Subsystem—Samsung SSD 970 EVO Plus.

All VMs were ran the same guest operating system: Ubuntu 16.04 LTS (Xenial Xerus), Vagrant box 20190816.0.0. The structure of the experimental stand is shown in Figure 2 and in

Table 1. Parameters of the virtual machines.

	CPU Cores	RAM (MB)	Maximum Allowed Load of CPU Cores (%)	Input–Output System Bandwidth (MB/sec)
Client	4	8192	100	–
Server	2	2048	100	–
Database	2	2048	50	25

.

3. Results

After creating a VM, and installing and running the server software and DBMS, the experiment began. The initial data were loaded into the RAM of the client machine. After they were fully loaded, the sending of data with the specified parameters began.

The experiment is discussed in detail in Appendix A.

The results of the computational experiment are shown in

Table 2. Indicators of resource costs for logging user actions.

Resource Indicator	Value without Using Logging	Value with Using Logging	Difference in %
Client VM CPU	8.498	8.217	3.3
Server VM CPU	19.710	22.230	12.7
Database VM CPU	2.859	4.371	52.9
Client VM Free RAM	1296,828.186	1295,666.406	0.08
Server VM Free RAM	41,345.797	39,147.056	5.32
Database VM Free RAM	340,911.115	341,359.788	0.13

.

Thus, for the considered example, the use of logging user actions was experimentally established and only significantly affected the load on the server processor (Figure 3) and the database processor (Figure 4), and insignificantly increased the server memory load. The introduction of access control with logging requires the introduction of appropriate resources reserves into the computing complex.

4. Data Description

The dataset (http://dx.doi.org/10.17632/25v6shzfff.1, accessed on 27 February 2021) consists of three files:

• File with input data (initial-dataset.json), which is used by the client to send requests.
• File with the results of monitoring virtual machine resources for the experiment without logging (monitoring-data_wo-logging.json).
• File with the results of monitoring virtual machine resources for the experiment with logging (monitoring-data_w-logging.json).

The input data file contains two types of documents: ResearchSubject and ResearchResult. They are related in a one-to-many relationship, i.e., a ResearchSubject can have zero or more associated ResearchResult documents. In the source file, this link is implemented through nesting.

The ResearchSubject document contains 8 string type attributes and a single attribute representing the array of ResearchResult documents. ResearchResult document consists of 7 string type attributes, a single numeric type attribute and an attribute named “data”. The “data” attribute content represents an object of various structures. The document examples are available in Appendix B and Figure A3 and Figure A4, respectively. As the part of the experiment with the addition of logging for each incoming request, the server software generates ActionLog documents, the structure of which is shown in Appendix B, Figure A5. These documents contain basic information on HTTP requests, such as user identifiers, Boolean flag marking a user’s existence in the system, time of the log entry creation, the HTTP method, and the called remote method name. They are generated programmatically and a hook is used (the source code is shown in Appendix B, Figure A6), which is triggered after the received request is completed. It is important to note that all requests in the experiment contain a userId, so, after each request, two consecutive actions are performed:

• the user with the userId identifier is found;
• an ActionLog document is created and written to the database.

The output from monitoring virtual machine resources is provided by the atop utility. Raw output of the atop utility requires the making of a domain-specific parser, as it does not conform to widespread formats, such as CSV, etc. In addition, the documentation refers to specific data columns by their position, which is hard to read. To provide data in a more usable form, the raw output was converted into the JSON format.

The output files have an identical structure (see Appendix B, Figure A7 for a generalized example). Each file contains three objects with data available under the following keys: “client” is for the results of monitoring the resources of the client VM, “server” is for the results of monitoring the resources of the server VM, and “mongodb” is for the results of monitoring the resources of the DBMS VM.

5. Conclusions

This paper considered the task of the selection of resource-efficient technological solutions for building a computing system architecture for web services. The SIEM systems application scope was investigated as an important area in the field of computer security.

A method for analyzing the costs of computing resources for the implementation of access control systems has been proposed. An experiment was conducted using the proposed method. The experimental details are given, as well as the corresponding datasets and experiment virtual environment configurations. It was demonstrated that the SIEM component resource efficiency impact can be measured using virtual environments.

Development of frameworks and automation tools for resource efficiency studies can be further research goals. The results can be beneficial for studying the resource efficiency impacts of various SIEM components and other architecture solutions for computing systems.