•An event correlation-based document-level event detection model is proposed.•An event relation graph (ERG) is constructed.•The proposed method can improve the performance of correlated event ...detection.
The correlation between events within the same document plays a crucial role in event detection. Most existing detection models often ignore event correlations, which is not applicable to multi-event detection at the document level. In the real world, it is a common phenomenon that the probability of correlated events occurring simultaneously is much greater than the probability of uncorrelated events occurring simultaneously. Based on this observation, we propose an event correlation-based document-level event detection model (EventCo-ED) to capture the document-level association between events. Specifically, EventCo-ED first constructs a novel event relation graph (ERG) to capture the correlation between events and uses this correlation to extract the topic features of a document. Secondly, DMBERT is employed to get sentence-level contextual representation as the local features. Finally, a gated feature fusion module is used to aggregate topic features and local features, and a correlation suppression module is used to increase the probability that related events are detected simultaneously and suppress the probability that unrelated events are detected simultaneously. Experimental results show that the proposed model can simultaneously improve the precision and recall of multi-event detection and achieve 1.56% and 3.63% F1 improvements on the LEVEN and MAVEN corpuses, respectively.
Since the beginning of the Internet, cyberattacks have threatened users and organisations. They have become more complex concurrently with computer networks. Nowadays, attackers need to perform ...several intrusion steps to reach their final objective. The set of these steps is known as multi-step attack, multi-stage attack or attack scenario. Their multi-step nature hinders intrusion detection, as the correlation of more than one action is needed to understand the attack strategy and identify the threat. Since the beginning of 2000s, the security research community has tried to propose solutions to detect this kind of threat and to predict further steps. This survey aims to gather all the publications proposing multi-step attack detection methods. We focus on methods that go beyond the detection of a symptom and try to reveal the whole structure of the attack and the links between its steps. We follow a systematic approach to bibliographic research in order to identify the relevant literature. Our effort results in a corpus of 181 publications covering 119 methods, which we describe and classify. The analysis of the publications allows us to extract some conclusions about the state of research in multi-step attack detection. As far as we know, this is the first survey fully dedicated to multi-step attack detection methods as mechanisms to reveal attack scenarios composed of digital traces left by attackers.
An intrusion detection system (IDS) perform postcompromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast ...number of alerts that must be analyzed and triaged by security analysts. This process is largely manual, tedious, and time-consuming. Alert correlation is a technique that reduces the number of intrusion alerts by aggregating alerts that are similar in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the IDS has already generated a high volume of alerts. These third-party systems add to the complexity of security operations. In this paper, we build on the highly researched area of alert and event correlation by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an intrusion detection system. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for events rather than alerts as is the case in the current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on standard intrusion detection sets. The correlation achieves an 87% data reduction through aggregation, producing nearly 21,000 clusters in about 30 s.
Process mining supports the analysis of the actual behavior and performance of business processes using event logs. An essential requirement is that every event in the log must be associated with a ...unique case identifier (e.g., the order ID of an order-to-cash process). In reality, however, this case identifier may not always be present, especially when logs are acquired from different systems or extracted from non-process-aware information systems. In such settings, the event log needs to be pre-processed by grouping events into cases — an operation known as event correlation. Existing techniques for correlating events have worked with assumptions to make the problem tractable: some assume the generative processes to be acyclic, while others require heuristic information or user input. Moreover, they abstract the log to activities and timestamps, and miss the opportunity to use data attributes. In this paper, we lift these assumptions and propose a new technique called EC-SA-Data based on probabilistic optimization. The technique takes as inputs a sequence of timestamped events (the log without case IDs), a process model describing the underlying business process, and constraints over the event attributes. Our approach returns an event log in which every event is associated with a case identifier. The technique allows users to flexibly incorporate rules on process knowledge and data constraints. The approach minimizes the misalignment between the generated log and the input process model, maximizes the support of the given data constraints over the correlated log, and the variance between activity durations across cases. Our experiments with various real-life datasets show the advantages of our approach over the state of the art.
Display omitted
•We propose a novel event correlation engine EC-SA-Data.•EC-SA-Data correlates events based on information pertaining to the data perspective in addition to the control-flow perspective.•We propose eight similarity measures to evaluate the accuracy of our technique.
Process mining provides a rich set of techniques to discover valuable knowledge of business processes based on data that was recorded in different types of information systems. It enables analysis of ...end‐to‐end processes to facilitate process re‐engineering and process improvement. Process mining techniques rely on the availability of data in the form of event logs. In order to enable process mining in diverse environments, the recorded data need to be located and transformed to event logs. The journey from raw data to event logs suitable for process mining can be addressed by a variety of methods and techniques, which are the focus of this article. In particular, techniques proposed in the literature to support the creation of event logs from raw data are reviewed and classified. This includes techniques for identification and extraction of the required event data from diverse sources as well as their correlation and ion.
This article is categorized under:
Technologies > Structure Discovery and Clustering
Fundamental Concepts of Data and Knowledge > Data Concepts
Technologies > Data Preprocessing
Relating data and processes.
The event-by-event correlations between three flow amplitudes are measured for the first time in Pb-Pb collisions, using higher-order symmetric cumulants. We find that different three-harmonic ...correlations develop during the collective evolution of the medium when compared to correlations that exist in the initial state. These new results cannot be interpreted in terms of previous lower-order flow measurements since contributions from two-harmonic correlations are explicitly removed in the new observables. A comparison to Monte Carlo simulations provides new and independent constraints for the initial conditions and system properties of nuclear matter created in heavy-ion collisions.
Human activity recognition (HAR) is fundamental to many services in smart buildings. However, providing sufficiently robust activity recognition systems that could be confidently deployed in an ...ordinary real environment remains a major challenge. Much of the research done in this area has mainly focused on recognition through pre-segmented sensor data. In this paper, real-time human activity recognition based on streaming sensors is investigated. The proposed methodology incorporates dynamic event windowing based on spatio-temporal correlation and the knowledge of activity trigger sensor to recognize activities and record new events. The objective is to determine whether the last event that just happened belongs to the current activity, or if it is the sign of the start of a new activity. For this, we consider the correlation between sensors in view of what can be seen in the history of past events. The proposed algorithm contains three steps: verification of sensor correlation (SC), verification of temporal correlation (TC), and determination of the activity triggering the sensor. The proposed approach is applied to a real case study: the “Aruba” dataset from the CASAS database. F1 score is used to assess the quality of the segmentation. The results show that the proposed approach segments several activities (sleeping, bed to toilet, meal preparation, eating, housekeeping, working, entering home, and leaving home) with an F1 score of 0.63–0.99.
An advanced persistent threat (also known as APT) is a deliberately slow-moving cyberattack that is applied to quietly compromise interconnected information systems without revealing itself. APTs ...often use a variety of attack methods to get unauthorized system access initially and then gradually spread throughout the network. In contrast to traditional attacks, they are not used to interrupt services but primarily to steal intellectual property, sensitive internal business and legal documents and other data. If an attack on a system is successful, timely detection is of paramount importance to mitigate its impact and prohibit APTs from further spreading. However, recent security incidents, such as Operation Shady Rat, Operation Red October or the discovery of MiniDuke – just to name a few – have impressively demonstrated that current security mechanisms are mostly insufficient to prohibit targeted and customized attacks. This paper therefore proposes a novel anomaly detection approach which is a promising basis for modern intrusion detection systems. In contrast to other common approaches, which apply a kind of black-list approach and consider only actions and behaviour that match to well-known attack patterns and signatures of malware traces, our system works with a white-list approach. Our anomaly detection technique keeps track of system events, their dependencies and occurrences, and thus learns the normal system behaviour over time and reports all actions that differ from the created system model. In this work, we describe this system in theory and show evaluation results from a pilot study under real-world conditions.
Information systems need to process a large amount of event monitoring data. The process of finding the relationships between events is called correlation, which creates a context between independent ...events and previously collected information in real time and normalizes it for subsequent processing. In cybersecurity, events can determine the steps of attackers and can be analyzed as part of a specific attack strategy. In this survey, we present the systematization of security event correlation models in terms of their representation in AI-based monitoring systems as: rule-based, semantic, graphical and machine learning based-models. We define the main directions of current research in the field of AI-based security event correlation and the methods used for the correlation of both single events and their sequences in attack scenarios. We also describe the prospects for the development of hybrid correlation models. In conclusion, we identify the existing problems in the field and possible ways to overcome them.
Today’s digital world and evolving technology has improved the quality of our lives but it has also come with a number of new threats. In the society of smart-cities and Industry 4.0, where many ...cyber–physical devices connect and exchange data through the Internet of Things, the need for addressing information security and solve system failures becomes inevitable. System failures can occur because of hardware failures, software bugs or interoperability issues. In this paper we introduce the industry-originated concept of “smart-troubleshooting” that is the set of activities and tools needed to gather failure information generated by heterogeneous connected devices, analyze them, and match them with troubleshooting instructions and software fixes. As a consequence of implementing smart-troubleshooting, the system would be able to self-heal and thus become more resilient. This paper aims to survey frameworks, methodologies and tools related to this new concept, and especially the ones needed to model, analyze and recover from failures in a (semi)automatic way. Smart-troubleshooting has a relation with event analysis to perform diagnostics and prognostics on devices manufactured by different suppliers in a distributed system. It also addresses management of appropriate product information specified in possibly unstructured formats to guide the troubleshooting workflow in identifying fault—causes and solutions. Relevant research is briefly surveyed in the paper in order to highlight current state-of-the-art, open issues, challenges to be tackled and future opportunities in this emerging industry paradigm.
•Introduce the industry-originated concept of “Smart-troubleshooting”.•Survey current research, methodologies, and tools relevant to Smart-troubleshooting.•Discuss challenges and opportunities related to Smart-troubleshooting.