An Explainable Intelligence Model for Security Event Analysis

  • Neda AfzaliSereshtEmail author
  • Qing Liu
  • Yuan Miao
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11919)


Huge volume of events is logged by monitoring systems. Analysts do not audit or trace the log files, which record the most significant events, until an incident occurs. Human analysis is a tedious and inaccurate task given the vast volume of log files that are stored in a “machine-friendly” format. The analysts have to derive the context for an incident using the prior knowledge to find relevant events to the incident to recognise why it has happened. Although the security tools by providing visualization techniques and minimizing human interactions have been developed to make the process of analysis easier, far too little attention has been paid to interpret security incident in a “human-friendly” format. Besides, the current detection patterns and rules are not mature enough to recognize early breaches, which have not caused any damage. In this paper, we presented an Explainable AI model that assist the analysts’ judgement to infer what is happened from the security event logs. The proposed Explainable AI model includes storytelling as a novel knowledge representation model to present the sequence of the events which automatically are discovered from the log file. For automated discovering sequential events, an apriority-like algorithm by mining temporal patterns is utilized. This effort focused on security events to convey both short-life and long-life activities. The experimental results demonstrate the potential and advantages of the proposed Explainable AI model from the security logs that validated on the activities during the security configuration compliance on Windows system.


Security events Storytelling Periodic frequent item set 


  1. 1.
    Liu, S., Wang, X., Liu, M., Zhu, J.: Towards better analysis of machine learning models: a visual analytics perspective. Vis. Inf. 1(1), 48–56 (2017)Google Scholar
  2. 2.
    CBEST Intelligence-led testing: Understanding cyber threat intelligence operations. Bank of England (2016). Accessed 1 Nov 2019
  3. 3.
    Payne, J.: Build a fast, free, and effective threat hunting/incident response console with windows event forwarding and PowerBI (2017).
  4. 4.
    Tang, M., Fidge, C.: Reconstruction of falsified computer logs for digital forensics investigations. In: Proceedings of the Eighth Australasian Conference on Information Security, vol. 105, pp. 12–21. Australian Computer Society, Inc. (2010)Google Scholar
  5. 5.
    Albanese, M., Cam, H., Jajodia, S.: Automated cyber situation awareness tools and models for improving analyst performance. In: Pino, R.E., Kott, A., Shevenell, M. (eds.) Cybersecurity Systems for Human Cognition Augmentation. AIS, vol. 61, pp. 47–60. Springer, Cham (2014). Scholar
  6. 6.
    Schatz, B., Mohay, G., Clark, A.: Rich event representation for computer forensics. In: Proceedings of the Fifth Asia-Pacific Industrial Engineering and Management Systems Conference (APIEMS 2004), vol. 12, pp. 1–16 (2004)Google Scholar
  7. 7.
    Ekelhart, A., Kiesling, E., Kurniawan, K.: Taming the logs-Vocabularies for semantic security analysis. Proc. Comput. Sci. 137, 109–119 (2018)CrossRefGoogle Scholar
  8. 8.
    Wu, Q., et al.: Internet of things based data driven storytelling for supporting social connections. In: 2013 IEEE International Conference on Green Computing and Communications (GreenCom) and IEEE Internet of Things (iThings/CPSCom) and IEEE Cyber, Physical and Social Computing, pp. 383–390. IEEE (2013)Google Scholar
  9. 9.
    Mackinaly, J., Kosara, R., Wallace, M.: Data storytelling using visualization to share the human impact of numbers (2014). Accessed 5 July 2014Google Scholar
  10. 10.
    Khan, S., Parkinson, S.: Eliciting and utilising knowledge for security event log analysis: an association rule mining and automated planning approach. Expert Syst. Appl. 113, 116–127 (2018)CrossRefGoogle Scholar
  11. 11.
    Mahanta, A.K., Mazarbhuiya, F.A., Baruah, H.K.: Finding calendar-based periodic patterns. Pattern Recogn. Lett. 29(9), 1274–1284 (2008)CrossRefGoogle Scholar
  12. 12.
    Le, D.T., Lauw, H.W., Fang, Y.: Basket-sensitive personalized item recommendation. In: IJCAI (2017)Google Scholar
  13. 13.
    Ghorbani, M., Abessi, M.: A new methodology for mining frequent itemsets on temporal data. IEEE Trans. Eng. Manag. 64(4), 566–573 (2017)CrossRefGoogle Scholar
  14. 14.
    Meamarzade, H., Khayyambash, M.R., Saraee, M.H.: Graph base approaches in mining time interval sequence patterns. Isfahan University White Paper in Persian Language (2009).
  15. 15.
    Aqra, I., et al.: A novel association rule mining approach using TID intermediate itemset. PLoS One 13(1) (2018). Scholar
  16. 16.
    Chabot, Y., Bertaux, A., Nicolle, C., Kechadi, T.: An ontology-based approach for the reconstruction and analysis of digital incidents timelines. Digit. Investig. 15, 83–100 (2015)CrossRefGoogle Scholar
  17. 17.
    Marrington, A., Baggili, I., Mohay, G., Clark, A.: CAT detect (computer activity timeline detection): a tool for detecting inconsistency in computer activity timelines. Digit. Investig. 8, S52–S61 (2011)CrossRefGoogle Scholar
  18. 18.
    Studiawan, H., Sohel, F., Payne, C.: A survey on forensic investigation of operating system logs. Digit. Investig. 29, 1–20 (2019)CrossRefGoogle Scholar
  19. 19.
    Smith, R.F.: Windows security log event id. Accessed 1 Nov 2019

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.ISILCVictoria UniversityMelbourneAustralia
  2. 2.Data61, CSIROHobartAustralia

Personalised recommendations