Security Log Analysis in Critical Industrial Systems Exploiting Game Theoretic Feature Selection and Evidence Combination

Critical industrial systems have become profitable targets for cyber-attackers. Practitioners and administrators rely on a variety of data sources to develop security situation awareness at runtime. In spite of the advances in security information and event management products and services for handling heterogeneous data sources, analysis of proprietary logs generated by industrial systems keeps posing many challenges due to the lack of standard practices, formats, and threat models. This article addresses log analysis to detect anomalies, such as failures and misuse, in a critical industrial system. We conduct our study with a real-life system by a top leading industry provider in the air traffic control domain. The system emits massive volumes of highly-unstructured proprietary textual logs at runtime. We propose to extract quantitative metrics from logs and to detect anomalies by means of game theoretic feature selection and evidence combination. Experiments indicate that the proposed approach achieves high precision and recall at small tuning efforts.

[1]  Robert Gibbons,et al.  A primer in game theory , 1992 .

[2]  Domenico Cotroneo,et al.  Industry Practices and Event Logging: Assessment of a Critical Software Development Process , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[3]  Jin Li,et al.  Using cooperative game theory to optimize the feature selection problem , 2012, Neurocomputing.

[4]  Tao Qin,et al.  High Threat Alarms Mining for Effective Security Management: Modeling, Experiment and Application , 2018, 2018 IEEE Symposium on Computers and Communications (ISCC).

[5]  Xinyang Deng,et al.  Evidence Combination From an Evolutionary Game Theory Perspective , 2015, IEEE Transactions on Cybernetics.

[6]  José M. Merigó,et al.  Fuzzy aggregation operators in decision making with Dempster-Shafer belief structure , 2012, Expert Syst. Appl..

[7]  Pradeep Dubey,et al.  Mathematical Properties of the Banzhaf Power Index , 1979, Math. Oper. Res..

[8]  Marcello Cinque,et al.  Entropy-Based Security Analytics: Measurements from a Critical Information System , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[9]  Zulaiha Ali Othman,et al.  2011 3 Rd Conference on Data Mining and Optimization (dmo) Anomaly Detection for Ptm's Network Traffic Using Association Rule , 2022 .

[10]  Yevgeniy Vorobeychik,et al.  A game-theoretic approach for selecting optimal time-dependent thresholds for anomaly detection , 2019, Autonomous Agents and Multi-Agent Systems.

[11]  Nikola Bogunovic,et al.  A review of feature selection methods with applications , 2015, 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[12]  Jian Li,et al.  An Evaluation Study on Log Parsing and Its Use in Log Mining , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[13]  Zhou Li,et al.  Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data , 2014, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[14]  Ingo Weber,et al.  Metric selection and anomaly detection for cloud operations using log and metric correlation analysis , 2017, J. Syst. Softw..

[15]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[16]  Subutai Ahmad,et al.  Unsupervised real-time anomaly detection for streaming data , 2017, Neurocomputing.

[17]  Chongzhao Han,et al.  Sequential weighted combination for unreliable evidence based on evidence variance , 2013, Decis. Support Syst..

[18]  Alina Madalina Lonea,et al.  Detecting DDoS Attacks in Cloud Computing Environment , 2012, Int. J. Comput. Commun. Control.

[19]  Lajos Hanzo,et al.  A Survey of Multi-Objective Optimization in Wireless Sensor Networks: Metrics, Algorithms, and Open Problems , 2016, IEEE Communications Surveys & Tutorials.

[20]  Ángel Sánchez,et al.  Evolutionary game theory: Temporal and spatial effects beyond replicator dynamics , 2009, Physics of life reviews.

[21]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[22]  Ulrik Franke,et al.  Cyber situational awareness - A systematic review of the literature , 2014, Comput. Secur..

[23]  Domenico Cotroneo,et al.  Challenges and Directions in Security Information and Event Management (SIEM) , 2018, 2018 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW).

[24]  Mingtian Zhou,et al.  Cyber Insider Threats Situation Awareness Using Game Theory and Information Fusion-based User Behavior Predicting Algorithm , 2011 .

[25]  Lotfi A. Zadeh,et al.  Review of A Mathematical Theory of Evidence , 1984 .

[26]  Branislav Bosanský,et al.  Optimal Strategies for Detecting Data Exfiltration by Internal and External Attackers , 2017, GameSec.

[27]  Ling Huang,et al.  Mining Console Logs for Large-Scale System Problem Detection , 2008, SysML.

[28]  Wei Wang,et al.  Game theoretical security detection strategy for networked systems , 2018, Inf. Sci..

[29]  Matthieu Roy,et al.  Experience Report: Log Mining Using Natural Language Processing and Application to Anomaly Detection , 2017, 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE).

[30]  Ravishankar K. Iyer,et al.  Game Theory with Learning for Cyber Security Monitoring , 2016, 2016 IEEE 17th International Symposium on High Assurance Systems Engineering (HASE).

[31]  Feifei Li,et al.  DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning , 2017, CCS.

[32]  E. Eugene Schultz Security Information and Event Management (SIEM) , 2011, Encyclopedia of Information Assurance.

[33]  Shobha Vasudevan,et al.  Automated Generation and Selection of Interpretable Features for Enterprise Security , 2018, 2018 IEEE International Conference on Big Data (Big Data).

[34]  Domenico Cotroneo,et al.  Filtering Security Alerts for the Analysis of a Production SaaS Cloud , 2014, 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing.

[35]  Rossitza Setchi,et al.  Feature selection using Joint Mutual Information Maximisation , 2015, Expert Syst. Appl..

[36]  Jon Stearley,et al.  Bad Words: Finding Faults in Spirit's Syslogs , 2008, 2008 Eighth IEEE International Symposium on Cluster Computing and the Grid (CCGRID).

[37]  Teodor Sommestad,et al.  Alert verification through alert correlation—An empirical test of SnIPS , 2017, Inf. Secur. J. A Glob. Perspect..

[38]  Claes Wohlin,et al.  Experimentation in software engineering: an introduction , 2000 .

[39]  Pratyusa K. Manadhata,et al.  The Operational Role of Security Information and Event Management Systems , 2014, IEEE Security & Privacy.