A Graph Similarity-Based Approach to Security Event Analysis Using Correlation Techniques

Detecting and identifying security events to provide cyber situation awareness has become an increasingly important task within the network research and development community. We propose a graph similarity-based approach to event detection and identification that integrates a number of techniques to collect time-varying situation information, extract correlations between event attributes, and characterize and identify security events. Diverging from the traditional rule- or statistical-based pattern matching techniques, the proposed mechanism represents security events in a graphical form of correlation networks and identifies security events through the computation of graph similarity measurements to eliminate the need for constructing user or system profiles. These technical components take fundamentally different approaches from traditional empirical or statistical methods and are designed based on rigorous computational analysis with mathematically proven performance guarantee. The performance superiority of the proposed mechanism is demonstrated by extensive simulation and experimental results.