Discovering and utilising expert knowledge from security event logs

Saad Khan, Simon Parkinson

Research output: Contribution to journalArticle

Abstract

Vulnerability assessment and security configuration of computer systems is heavily dependent on human experts, which are widely attributed as being in short supply. This can result in a system being left insecure because of the lack of easily accessible experience and specialist resources. While performing security tasks, human experts often revert to a system's event logs to establish security information (configuration changes, errors, etc.). However, finding and exploiting knowledge from event logs is a challenging and time-consuming task for non-experts. Hence there is a strong need to provide mechanisms to make the process easier for security experts, as well as providing tools for those with significantly less security expertise. In this paper, we present a novel technique to process security event logs of a system that have been evaluated and configured by a security expert, extract key domain knowledge indicative of human decision making, and automatically apply acquired knowledge to previously unseen systems by non-experts to propose security improvements. The proposed solution utilises rule mining algorithms to extract security actions from event log entries. The set of identified rules is represented as a domain action model. The domain model and problem instance generated from a previously unseen system can then be used to produce a plan-of-action, which can be exploited by non-professionals to improve their system's security. Empirical analysis is subsequently performed on 21 event logs, where the acquired domain model and identified plans are discussed in terms of accuracy and performance.
LanguageEnglish
Article number102375
Pages1-22
Number of pages22
JournalJournal of Information Security and Applications
Volume48
Early online date30 Aug 2019
Publication statusPublished - Oct 2019

Fingerprint

Security systems
Computer systems
Decision making

Cite this

@article{79ee24d2a97f46f0937bd67de0dfed71,
title = "Discovering and utilising expert knowledge from security event logs",
abstract = "Vulnerability assessment and security configuration of computer systems is heavily dependent on human experts, which are widely attributed as being in short supply. This can result in a system being left insecure because of the lack of easily accessible experience and specialist resources. While performing security tasks, human experts often revert to a system's event logs to establish security information (configuration changes, errors, etc.). However, finding and exploiting knowledge from event logs is a challenging and time-consuming task for non-experts. Hence there is a strong need to provide mechanisms to make the process easier for security experts, as well as providing tools for those with significantly less security expertise. In this paper, we present a novel technique to process security event logs of a system that have been evaluated and configured by a security expert, extract key domain knowledge indicative of human decision making, and automatically apply acquired knowledge to previously unseen systems by non-experts to propose security improvements. The proposed solution utilises rule mining algorithms to extract security actions from event log entries. The set of identified rules is represented as a domain action model. The domain model and problem instance generated from a previously unseen system can then be used to produce a plan-of-action, which can be exploited by non-professionals to improve their system's security. Empirical analysis is subsequently performed on 21 event logs, where the acquired domain model and identified plans are discussed in terms of accuracy and performance.",
keywords = "Event Logs, Association Rule Mining, Causality, Automated Planning",
author = "Saad Khan and Simon Parkinson",
year = "2019",
month = "10",
language = "English",
volume = "48",
pages = "1--22",
journal = "Journal of Information Security and Applications",
issn = "2214-2126",
publisher = "Elsevier Limited",

}

Discovering and utilising expert knowledge from security event logs. / Khan, Saad; Parkinson, Simon.

In: Journal of Information Security and Applications, Vol. 48, 102375, 10.2019, p. 1-22.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Discovering and utilising expert knowledge from security event logs

AU - Khan, Saad

AU - Parkinson, Simon

PY - 2019/10

Y1 - 2019/10

N2 - Vulnerability assessment and security configuration of computer systems is heavily dependent on human experts, which are widely attributed as being in short supply. This can result in a system being left insecure because of the lack of easily accessible experience and specialist resources. While performing security tasks, human experts often revert to a system's event logs to establish security information (configuration changes, errors, etc.). However, finding and exploiting knowledge from event logs is a challenging and time-consuming task for non-experts. Hence there is a strong need to provide mechanisms to make the process easier for security experts, as well as providing tools for those with significantly less security expertise. In this paper, we present a novel technique to process security event logs of a system that have been evaluated and configured by a security expert, extract key domain knowledge indicative of human decision making, and automatically apply acquired knowledge to previously unseen systems by non-experts to propose security improvements. The proposed solution utilises rule mining algorithms to extract security actions from event log entries. The set of identified rules is represented as a domain action model. The domain model and problem instance generated from a previously unseen system can then be used to produce a plan-of-action, which can be exploited by non-professionals to improve their system's security. Empirical analysis is subsequently performed on 21 event logs, where the acquired domain model and identified plans are discussed in terms of accuracy and performance.

AB - Vulnerability assessment and security configuration of computer systems is heavily dependent on human experts, which are widely attributed as being in short supply. This can result in a system being left insecure because of the lack of easily accessible experience and specialist resources. While performing security tasks, human experts often revert to a system's event logs to establish security information (configuration changes, errors, etc.). However, finding and exploiting knowledge from event logs is a challenging and time-consuming task for non-experts. Hence there is a strong need to provide mechanisms to make the process easier for security experts, as well as providing tools for those with significantly less security expertise. In this paper, we present a novel technique to process security event logs of a system that have been evaluated and configured by a security expert, extract key domain knowledge indicative of human decision making, and automatically apply acquired knowledge to previously unseen systems by non-experts to propose security improvements. The proposed solution utilises rule mining algorithms to extract security actions from event log entries. The set of identified rules is represented as a domain action model. The domain model and problem instance generated from a previously unseen system can then be used to produce a plan-of-action, which can be exploited by non-professionals to improve their system's security. Empirical analysis is subsequently performed on 21 event logs, where the acquired domain model and identified plans are discussed in terms of accuracy and performance.

KW - Event Logs

KW - Association Rule Mining

KW - Causality

KW - Automated Planning

UR - https://www.scopus.com/record/display.uri?eid=2-s2.0-85071449480&origin=resultslist&sort=plf-f&src=s&st1=Discovering+and+utilising+expert+knowledge+from+security+event+logs&st2=&sid=17a152393b27e7467ffb0d80b7ebc6f6&sot=b&sdt=b&sl=82&s=TITLE-ABS-KEY%28Discovering+and+utilising+expert+knowledge+from+security+event+logs%29&relpos=0&citeCnt=0&searchTerm=

M3 - Article

VL - 48

SP - 1

EP - 22

JO - Journal of Information Security and Applications

T2 - Journal of Information Security and Applications

JF - Journal of Information Security and Applications

SN - 2214-2126

M1 - 102375

ER -