Automating Incident Classification Using Sentiment Analysis and Machine Learning

  • Marina Danchovsky IbrishimovaEmail author
  • Kin Fun Li
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11317)


The first step in an incident response plan of an organization is to establish whether the reported event is in fact an incident. This is not an easy task especially if it is a novel event, which has not previously been documented. A typical classification of a novel event includes consulting a database of events with similar keywords and making a subjective decision by human. Efforts have been made to categorize events but there is no universal list of all possible incidents because each incident can be described in multiple different ways. In this paper we propose automating the process of receiving and classifying an event based on the assumption that the main difference between an event and an incident in the field of security is that an event is a positive or a neutral occurrence whereas an incident has strictly negative connotations. We applied sentiment analysis on event reports from the RISI dataset, and the results supported our assumption. We further observed that the sentiment analysis score and magnitude parameters of similar incidents were also very similar and we used them as features in a machine learning model along with other features obtained from each report such as impact and duration in order to predict the likelihood that an event is an incident. We found that using sentiment analysis as a feature of the model increases its accuracy, precision, and recall by at least 10%. The difference between our approach and the typical incident classification approach is that in our approach we train the system to recognize the incidents before any incident actually takes place and our system can recognize incidents even if their descriptions do not include keywords previously encountered by the system.


Incident response classification Machine learning Natural language processing Security Sentiment analysis 


  1. 1.
    Cohen, F.B.: Protection and Security on the Information Superhighway. Wiley, New York (1995)Google Scholar
  2. 2.
    ITU-T X.1056 Recommendations. Accessed 02 June 2018
  3. 3.
    Howard, J.D., Longstaff, T.A.: A common language for computer security incidents. United States (1998).
  4. 4.
    Cohen, F.: Information system attacks: a preliminary classification scheme. Comput. Secur. 16(1), 29–46 (1997)CrossRefGoogle Scholar
  5. 5.
    AI Automation for incident management. Accessed 02 June 2018
  6. 6.
  7. 7.
    Pham, C.: From events to incidents, SANS InfoSec Reading Room. Accessed 02 June 2018
  8. 8.
    Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient Estimation of Word Representations in Vector Space. CoRR, abs/1301.3781 (2013)Google Scholar
  9. 9.
    Mikolov, T., Sutskever, I., Chen, K., Corrado, G., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Burges, C.J.C., Bottou, L., Welling, M., Ghahramani, Z., Weinberger, K.Q. (eds.) Proceedings of the 26th International Conference on Neural Information Processing Systems, (NIPS 2013), vol. 2, pp. 3111–3119. Curran Associates Inc., USA (2013)Google Scholar
  10. 10.
    Bae, S., Yi, Y.: Acceleration of Word2vec using GPUs. In: Hirose, A., Ozawa, S., Doya, K., Ikeda, K., Lee, M., Liu, D. (eds.) ICONIP 2016. LNCS, vol. 9948, pp. 269–279. Springer, Cham (2016). Scholar
  11. 11.
    Logistic Regression: Calculating a probability. Accessed 02 June 2018
  12. 12.
  13. 13.
    Lazorenko, A.: TensorFlow Performance Test: CPU vs GPU. Accessed 02 June 2018
  14. 14.
    Chu, V.: Benchmarking Tensorflow Performance and Cost Across Different GPU Options. Accessed 02 June 2018
  15. 15.
    Vafaie, H., Imam, I.F.: Feature selection methods: genetic algorithms vs. greedy-like search. In: Proceedings of the 3rd International Fuzzy Systems and Intelligent Control Conference, Louisville, KY, March 1994Google Scholar
  16. 16.

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.University of VictoriaVictoriaCanada

Personalised recommendations