DEEPCASE: Semi-Supervised Contextual Analysis of Security Events

Thijs van Ede, Hojjat Aghakhani, Noah Spahn, Riccardo Bortolameotti, Marco Cova, Andrea Continella, Maarten van Steen, Andreas Peter, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

38 Citations (Scopus)
493 Downloads (Pure)

Abstract

Security monitoring systems detect potentially malicious activities in IT infrastructures, by either looking for known signatures or for anomalous behaviors. Security operators investigate these events to determine whether they pose a threat to their organization. In many cases, a single event may be insufficient to determine whether certain activity is indeed malicious. Therefore, a security operator frequently needs to correlate multiple events to identify if they pose a real threat. Unfortunately, the vast number of events that need to be correlated often overload security operators, forcing them to ignore some events and, thereby, potentially miss attacks. This work studies how to automatically correlate security events and, thus, automate parts of the security operator workload. We design and evaluate DEEPCASE, a system that leverages the context around events to determine which events require further inspection. This approach reduces the number of events that need to be inspected. In addition, the context provides valuable insights into why certain events are classified as malicious. We show that our approach automatically filters 86.72% of the events and reduces the manual workload of security operators by 90.53%, while underestimating the risk of potential threats in less than 0.001% of cases.

Original languageEnglish
Title of host publication2022 IEEE Symposium on Security and Privacy (SP)
PublisherIEEE
Pages522-539
Number of pages18
ISBN (Electronic)978-1-6654-1316-9
ISBN (Print)978-1-6654-1317-6
DOIs
Publication statusPublished - 27 Jul 2022
Event43rd IEEE Symposium on Security and Privacy, S & P 2022 - Virtual Event
Duration: 22 May 202226 May 2022
Conference number: 43

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2022-May
ISSN (Print)1081-6011

Conference

Conference43rd IEEE Symposium on Security and Privacy, S & P 2022
Abbreviated titleS & P 2022
CityVirtual Event
Period22/05/2226/05/22

Keywords

  • Cybersecurity

Fingerprint

Dive into the research topics of 'DEEPCASE: Semi-Supervised Contextual Analysis of Security Events'. Together they form a unique fingerprint.

Cite this