Critical computer systems strongly rely on event logs to record the occurrence of normative and anomalous events occurring at runtime. In spite of the advances in Security Information and Event Management for handling monitoring data in production, event logs remain quite underutilized with respect to more conventional security data sources. Eliciting actionable knowledge for situational awareness poses many challenges in the case of logs emitted by industrial systems due to the lack of standard practices, formats and threat models. This paper addresses log analysis in a critical industrial system. We conduct our study with a real-life system by a top leading company in the Air Traffic Control domain, which emits massive volumes of unstructured proprietary logs. We propose a filtering method that pinpoints interesting events from logs, i.e., events that should be followed up by analysts. Experiments are done with logs from normative and misuse scenarios; moreover, we compare the outcome of our method with a reference filtering technique based on the conceptual clustering. Results indicate that the proposed method is effective to retain interesting events at remarkable precision and recall and to pinpoint misuse indicators. We overcome several drawbacks of existing filtering techniques, such as the need for labeled logs and domain knowledge, which makes our method easier to use by practitioners.

Contextual filtering and prioritization of computer application logs for security situational awareness / Cinque, M.; Della Corte, R.; Pecchia, A.. - In: FUTURE GENERATION COMPUTER SYSTEMS. - ISSN 0167-739X. - 111:(2020), pp. 668-680. [10.1016/j.future.2019.09.005]

Contextual filtering and prioritization of computer application logs for security situational awareness

Cinque M.;Della Corte R.;Pecchia A.
2020

Abstract

Critical computer systems strongly rely on event logs to record the occurrence of normative and anomalous events occurring at runtime. In spite of the advances in Security Information and Event Management for handling monitoring data in production, event logs remain quite underutilized with respect to more conventional security data sources. Eliciting actionable knowledge for situational awareness poses many challenges in the case of logs emitted by industrial systems due to the lack of standard practices, formats and threat models. This paper addresses log analysis in a critical industrial system. We conduct our study with a real-life system by a top leading company in the Air Traffic Control domain, which emits massive volumes of unstructured proprietary logs. We propose a filtering method that pinpoints interesting events from logs, i.e., events that should be followed up by analysts. Experiments are done with logs from normative and misuse scenarios; moreover, we compare the outcome of our method with a reference filtering technique based on the conceptual clustering. Results indicate that the proposed method is effective to retain interesting events at remarkable precision and recall and to pinpoint misuse indicators. We overcome several drawbacks of existing filtering techniques, such as the need for labeled logs and domain knowledge, which makes our method easier to use by practitioners.
2020
Contextual filtering and prioritization of computer application logs for security situational awareness / Cinque, M.; Della Corte, R.; Pecchia, A.. - In: FUTURE GENERATION COMPUTER SYSTEMS. - ISSN 0167-739X. - 111:(2020), pp. 668-680. [10.1016/j.future.2019.09.005]
File in questo prodotto:
File Dimensione Formato  
1-s2.0-S0167739X19306454-main.pdf

solo utenti autorizzati

Tipologia: Versione Editoriale (PDF)
Licenza: Copyright dell'editore
Dimensione 3.34 MB
Formato Adobe PDF
3.34 MB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11588/774624
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 21
  • ???jsp.display-item.citation.isi??? 14
social impact