Abstract
Security monitoring systems detect potentially malicious activities in IT infrastructures, by either looking for known signatures or for anomalous behaviors. Security operators investigate these events to determine whether they pose a threat to their organization. In many cases, a single event may be insufficient to determine whether certain activity is indeed malicious. Therefore, a security operator frequently needs to correlate multiple events to identify if they pose a real threat. Unfortunately, the vast number of events that need to be correlated often overload security operators, forcing them to ignore some events and, thereby, potentially miss attacks. This work studies how to automatically correlate security events and, thus, automate parts of the security operator workload. We design and evaluate DEEPCASE, a system that leverages the context around events to determine which events require further inspection. This approach reduces the number of events that need to be inspected. In addition, the context provides valuable insights into why certain events are classified as malicious. We show that our approach automatically filters 86.72% of the events and reduces the manual workload of security operators by 90.53%, while underestimating the risk of potential threats in less than 0.001% of cases.
Original language | English |
---|---|
Title of host publication | 2022 IEEE Symposium on Security and Privacy (SP) |
Publisher | IEEE |
Pages | 522-539 |
Number of pages | 18 |
ISBN (Electronic) | 978-1-6654-1316-9 |
ISBN (Print) | 978-1-6654-1317-6 |
DOIs | |
Publication status | Published - 27 Jul 2022 |
Event | 43rd IEEE Symposium on Security and Privacy, S & P 2022 - Virtual Event Duration: 22 May 2022 → 26 May 2022 Conference number: 43 |
Publication series
Name | Proceedings - IEEE Symposium on Security and Privacy |
---|---|
Volume | 2022-May |
ISSN (Print) | 1081-6011 |
Conference
Conference | 43rd IEEE Symposium on Security and Privacy, S & P 2022 |
---|---|
Abbreviated title | S & P 2022 |
City | Virtual Event |
Period | 22/05/22 → 26/05/22 |
Keywords
- Cybersecurity
Fingerprint
Dive into the research topics of 'DEEPCASE: Semi-Supervised Contextual Analysis of Security Events'. Together they form a unique fingerprint.Datasets
-
Code for DeepCASE: Semi-Supervised Contextual Analysis of Security Events
van Ede, T. (Creator), Aghakhani, H. (Creator), Spahn, N. (Creator), Bortolameotti, R. (Creator), Cova, M. (Creator), Continella, A. (Creator), van Steen, M. (Creator), Peter, A. (Creator), Kruegel, C. (Creator) & Vigna, G. (Creator), 4TU.Centre for Research Data, 26 Oct 2023
DOI: 10.4121/86c12ba1-7709-45c3-ade3-897552f98ca3, https://data.4tu.nl/datasets/86c12ba1-7709-45c3-ade3-897552f98ca3
Dataset
-
Code for Tiresias: Predicting Security Events Through Deep Learning
van Ede, T. (Creator), 4TU.Centre for Research Data, 26 Oct 2023
DOI: 10.4121/4e12761f-716a-4ea6-b08c-a6a6e459893d, https://data.4tu.nl/datasets/4e12761f-716a-4ea6-b08c-a6a6e459893d
Dataset
-
Code for DeepLog: Anomaly detection and diagnosis from system logs through deep learning
van Ede, T. (Creator), 4TU.Centre for Research Data, 26 Oct 2023
DOI: 10.4121/7a6086ad-1cd1-4a76-be8a-b7c0b6d17311, https://data.4tu.nl/datasets/7a6086ad-1cd1-4a76-be8a-b7c0b6d17311 and one more link, https://data.4tu.nl/datasets/7a6086ad-1cd1-4a76-be8a-b7c0b6d17311/1 (show fewer)
Dataset