An Explainable Intelligence Model for Security Event Analysis

Huge volume of events is logged by monitoring systems. Analysts do not audit or trace the log files, which record the most significant events, until an incident occurs. Human analysis is a tedious and inaccurate task given the vast volume of log files that are stored in a “machine-friendly” format. The analysts have to derive the context for an incident using the prior knowledge to find relevant events to the incident to recognise why it has happened. Although the security tools by providing visualization techniques and minimizing human interactions have been developed to make the process of analysis easier, far too little attention has been paid to interpret security incident in a “human-friendly” format. Besides, the current detection patterns and rules are not mature enough to recognize early breaches, which have not caused any damage. In this paper, we presented an Explainable AI model that assist the analysts’ judgement to infer what is happened from the security event logs. The proposed Explainable AI model includes storytelling as a novel knowledge representation model to present the sequence of the events which automatically are discovered from the log file. For automated discovering sequential events, an apriority-like algorithm by mining temporal patterns is utilized. This effort focused on security events to convey both short-life and long-life activities. The experimental results demonstrate the potential and advantages of the proposed Explainable AI model from the security logs that validated on the activities during the security configuration compliance on Windows system.

[1]  George M. Mohay,et al.  CAT Detect (Computer Activity Timeline Detection) : a toolfor detecting inconsistency in computer activity timelines , 2011 .

[2]  Simon Parkinson,et al.  Eliciting and utilising knowledge for security event log analysis: An association rule mining and automated planning approach , 2018, Expert Syst. Appl..

[3]  Tutut Herawan,et al.  A novel association rule mining approach using TID intermediate itemset , 2018, PloS one.

[4]  Qiong Wu,et al.  Internet of Things Based Data Driven Storytelling for Supporting Social Connections , 2013, 2013 IEEE International Conference on Green Computing and Communications and IEEE Internet of Things and IEEE Cyber, Physical and Social Computing.

[5]  George M. Mohay,et al.  RICH EVENT REPRESENTATION FOR COMPUTER FORENSICS , 2004 .

[6]  Colin J. Fidge,et al.  Reconstruction of Falsified Computer Logs for Digital Forensics Investigations , 2010, AISC.

[7]  Mazaher Ghorbani,et al.  A New Methodology for Mining Frequent Itemsets on Temporal Data , 2017, IEEE Transactions on Engineering Management.

[8]  Sushil Jajodia,et al.  Automated Cyber Situation Awareness Tools and Models for Improving Analyst Performance , 2014, Cybersecurity Systems for Human Cognition Augmentation.

[9]  Andreas Ekelhart,et al.  Taming the logs - Vocabularies for semantic security analysis , 2018, SEMANTICS.

[10]  Yuan Fang,et al.  Basket-Sensitive Personalized Item Recommendation , 2017, IJCAI.

[11]  Anjana Kakoti Mahanta,et al.  Finding calendar-based periodic patterns , 2008, Pattern Recognit. Lett..

[12]  Ferdous Sohel,et al.  A survey on forensic investigation of operating system logs , 2019, Digit. Investig..

[13]  Xiting Wang,et al.  Towards better analysis of machine learning models: A visual analytics perspective , 2017, Vis. Informatics.

[14]  M. Tahar Kechadi,et al.  An ontology-based approach for the reconstruction and analysis of digital incidents timelines , 2015, Digit. Investig..