Abstract
Huge volume of events is logged by monitoring systems. Analysts do not audit or trace the log files, which record the most significant events, until an incident occurs. Human analysis is a tedious and inaccurate task given the vast volume of log files that are stored in a “machine-friendly” format. The analysts have to derive the context for an incident using the prior knowledge to find relevant events to the incident to recognise why it has happened. Although the security tools by providing visualization techniques and minimizing human interactions have been developed to make the process of analysis easier, far too little attention has been paid to interpret security incident in a “human-friendly” format. Besides, the current detection patterns and rules are not mature enough to recognize early breaches, which have not caused any damage. In this paper, we presented an Explainable AI model that assist the analysts’ judgement to infer what is happened from the security event logs. The proposed Explainable AI model includes storytelling as a novel knowledge representation model to present the sequence of the events which automatically are discovered from the log file. For automated discovering sequential events, an apriority-like algorithm by mining temporal patterns is utilized. This effort focused on security events to convey both short-life and long-life activities. The experimental results demonstrate the potential and advantages of the proposed Explainable AI model from the security logs that validated on the activities during the security configuration compliance on Windows system.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Amazon web Server.
- 2.
Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
References
Liu, S., Wang, X., Liu, M., Zhu, J.: Towards better analysis of machine learning models: a visual analytics perspective. Vis. Inf. 1(1), 48–56 (2017)
CBEST Intelligence-led testing: Understanding cyber threat intelligence operations. Bank of England (2016). https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/understanding-cyber-threat-intelligence-operations.pdf. Accessed 1 Nov 2019
Payne, J.: Build a fast, free, and effective threat hunting/incident response console with windows event forwarding and PowerBI (2017). https://blogs.technet.microsoft.com/jepayne/2017/12/08/weffles/
Tang, M., Fidge, C.: Reconstruction of falsified computer logs for digital forensics investigations. In: Proceedings of the Eighth Australasian Conference on Information Security, vol. 105, pp. 12–21. Australian Computer Society, Inc. (2010)
Albanese, M., Cam, H., Jajodia, S.: Automated cyber situation awareness tools and models for improving analyst performance. In: Pino, R.E., Kott, A., Shevenell, M. (eds.) Cybersecurity Systems for Human Cognition Augmentation. AIS, vol. 61, pp. 47–60. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10374-7_3
Schatz, B., Mohay, G., Clark, A.: Rich event representation for computer forensics. In: Proceedings of the Fifth Asia-Pacific Industrial Engineering and Management Systems Conference (APIEMS 2004), vol. 12, pp. 1–16 (2004)
Ekelhart, A., Kiesling, E., Kurniawan, K.: Taming the logs-Vocabularies for semantic security analysis. Proc. Comput. Sci. 137, 109–119 (2018)
Wu, Q., et al.: Internet of things based data driven storytelling for supporting social connections. In: 2013 IEEE International Conference on Green Computing and Communications (GreenCom) and IEEE Internet of Things (iThings/CPSCom) and IEEE Cyber, Physical and Social Computing, pp. 383–390. IEEE (2013)
Mackinaly, J., Kosara, R., Wallace, M.: Data storytelling using visualization to share the human impact of numbers (2014). Accessed 5 July 2014
Khan, S., Parkinson, S.: Eliciting and utilising knowledge for security event log analysis: an association rule mining and automated planning approach. Expert Syst. Appl. 113, 116–127 (2018)
Mahanta, A.K., Mazarbhuiya, F.A., Baruah, H.K.: Finding calendar-based periodic patterns. Pattern Recogn. Lett. 29(9), 1274–1284 (2008)
Le, D.T., Lauw, H.W., Fang, Y.: Basket-sensitive personalized item recommendation. In: IJCAI (2017)
Ghorbani, M., Abessi, M.: A new methodology for mining frequent itemsets on temporal data. IEEE Trans. Eng. Manag. 64(4), 566–573 (2017)
Meamarzade, H., Khayyambash, M.R., Saraee, M.H.: Graph base approaches in mining time interval sequence patterns. Isfahan University White Paper in Persian Language (2009). http://dl.papergram.ir/mobileapp/datamining/pishbini/g272.pdf
Aqra, I., et al.: A novel association rule mining approach using TID intermediate itemset. PLoS One 13(1) (2018). https://doi.org/10.1371/journal.pone.0179703
Chabot, Y., Bertaux, A., Nicolle, C., Kechadi, T.: An ontology-based approach for the reconstruction and analysis of digital incidents timelines. Digit. Investig. 15, 83–100 (2015)
Marrington, A., Baggili, I., Mohay, G., Clark, A.: CAT detect (computer activity timeline detection): a tool for detecting inconsistency in computer activity timelines. Digit. Investig. 8, S52–S61 (2011)
Studiawan, H., Sohel, F., Payne, C.: A survey on forensic investigation of operating system logs. Digit. Investig. 29, 1–20 (2019)
Smith, R.F.: Windows security log event id. https://www.ultimatewindowssecurity.com. Accessed 1 Nov 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
AfzaliSeresht, N., Liu, Q., Miao, Y. (2019). An Explainable Intelligence Model for Security Event Analysis. In: Liu, J., Bailey, J. (eds) AI 2019: Advances in Artificial Intelligence. AI 2019. Lecture Notes in Computer Science(), vol 11919. Springer, Cham. https://doi.org/10.1007/978-3-030-35288-2_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-35288-2_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35287-5
Online ISBN: 978-3-030-35288-2
eBook Packages: Computer ScienceComputer Science (R0)