Authors: Huynh Ngoc Anh, Do Hoang Giang and Wee Keong Ng
Security operation center every hour has to manage a huge numbers of security events, reported by security sensors located inside or outside the protected network. Intrusion detection systems are typical examples of security sensors that are positioned locally and honeypots, positioned around the globe, are examples of outside security sensors. Security events usually come as independent incidents whose information is only partially obtained. Interesting attributes of security events as well as their relationship may be hidden in other data sources. Motivated by this observation, this paper proposes a system to address two issues: to enrich security events by inferring their hidden attributes and to discover causal connections between enriched security events. Hidden attributes of security events are derived from a rich knowledge base of expert domain knowledge, vulnerability databases and malware databases. Connections between causally related security events are discovered based on the prerequisite-consequence model which reasonably assumes that two events are causally related to one another if one event requires some capabilities which are provided by the other.
Keywords: Intrusion Detection; Security Event; Domain Knowledge, Causal Analysis.