Data Analytics for Security Management of Complex Heterogeneous Systems: Event Correlation and Security Assessment Tasks

Abstract

This chapter considers the methods and techniques for security management of complex heterogeneous systems with an emphasis on event correlation and security assessment. The approach suggested in the chapter is based on the integrated analysis of big heterogeneous security data for event correlation, including syntactic and semantic analysis of security events and information. The key feature of the approach is the definition of various relationships between event properties within an automated adaptive correlation process. Correlation of heterogeneous security data allows detecting security incidents, as well as the chains of security events that led to these incidents. The results of event correlation are used in various tasks of security assessment. The approach to the security assessment is based on the Bayesian attack graphs, open security data representation standards, and vulnerability indexes from the Common Vulnerability Scoring System. The results of correlation are used on the stage of system assets criticality assessment for assets inventory and on the stage of security assessment to calculate probability of ongoing attack success considering incident statistics. A technique for vulnerability assessment based on the data mining is also described. The advantages and disadvantages of the suggested approaches, methods and techniques are outlined. The purpose of this chapter is to form a methodological basis for data analysis in security management, as well as to demonstrate its practical application, using the data set of event logs from the Windows operating system and from the SCADA power management system.