Skip to main content
ArticleOPEN ACCESS

Systematic Literature Review of Security Event Correlation Methods

IEEE Access
DOI: 10.1109/ACCESS.2022.3168976
34Citations
Citations of this article
61Readers
Mendeley users who have this article in their library.

Abstract

Security event correlation approaches are necessary to detect and predict incremental threats such as multi-step or targeted attacks (advanced persistent threats) and other causal sequences of abnormal events. The use of security event correlation techniques also makes it possible to reduce the volume of the original data stream by grouping the events and eliminating their redundancy. The variety of event correlation methods, in turn, requires choosing the most appropriate way to handle security events, depending on the purpose and available resources. This paper presents a systematization of security event correlation methods into several categories, such as publication year, applied correlation methods, knowledge extraction methods, used data sources, architectural solutions, and quality evaluation of correlation methods. The research method is a systematic literature review, which includes the formulation of research questions, the choice of keywords and criteria for inclusion and exclusion. The review corpus is formed by using search queries in Google Scholar, IEEE Xplore, ACM Digital Library, ScienceDirect, and selection criteria. The final review corpus includes 127 publications from the existing literature for 2010-2021 and reflects the current state of research in the security event correlation field. The results of the analysis include the main directions of research in the field of event correlation and methods used for correlation both single events and their sequences in attack scenarios. The review also describes the datasets and metrics used to evaluate security event correlation approaches. In conclusion, the existing problems and possible ways to overcome them are identified. The main contribution of the review is the most complete classification and comparison of existing approaches to the security event correlation, considered not only from the point of view of the algorithm, but also the possibility of unknown attack detection, architectural solutions and the use of event initial data.

Author supplied keywords

References Powered by Scopus

THE DISTRIBUTION OF THE FLORA IN THE ALPINE ZONE.

New Phytologist
3691Citations
N/AReaders
Get full text

Algorithm 97: Shortest path

Communications of the ACM
3021Citations
N/AReaders
Get full text

Systematic mapping studies in software engineering

12th International Conference on Evaluation and Assessment in Software Engineering, EASE 2008
2246Citations
N/AReaders
Get full text
View more at Scopus

Cited by Powered by Scopus

Intrusion detection in cloud computing based on time series anomalies utilizing machine learning

Journal of Cloud Computing
46Citations
N/AReaders
Get full text

A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

Artificial Intelligence Review
29Citations
N/AReaders
Get full text

Detection of Cyberattacks and Anomalies in Cyber-Physical Systems: Approaches, Data Sources, Evaluation

Algorithms
27Citations
N/AReaders
Get full text
View more at Scopus

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Cite

CITATION STYLE

APA

Kotenko, I., Gaifulina, D., & Zelichenok, I. (2022). Systematic Literature Review of Security Event Correlation Methods. IEEE Access. Institute of Electrical and Electronics Engineers Inc. https://doi.org/10.1109/ACCESS.2022.3168976

Readers' Seniority

Tooltip

PhD / Post grad / Masters / Doc 10

67%

Professor / Associate Prof. 2

13%

Researcher 2

13%

Lecturer / Post doc 1

7%

Readers' Discipline

Tooltip

Computer Science 9

64%

Engineering 2

14%

Psychology 2

14%

Nursing and Health Professions 1

7%

Save time finding and organizing research with Mendeley

Sign up for free