Event Prioritization and Correlation Based on Pattern Mining Techniques

With the growing deployment of host and network intrusion detection systems in increasingly large and complex communication networks, managing low-level events from these systems becomes critically important. A network has multiple tasks, which consist of multiple network services aiding the execution of a task. An emerging track of security research has focused on event prioritization and correlation to rank the criticality of events and reduce the number of low-level events. To prioritize and correlate events, the ongoing tasks in an enterprise network are identified, as the goal of network operators is to protect ongoing tasks when a security breach occurs. The prioritization of an event depends on the criticality of an ongoing task that is potentially threatened by the event. Additionally, in order to support network operators, we correlate all events that target the same task. A particular task may depend on multiple network services and involve multiple network devices. So, if one network service becomes unavailable, other network services will be affected over time since they Unfortunately, dependency details are often not documented and are difficult to discover by relying on human expert knowledge. In order to solve this problem, a network dependency analysis based on network traffic is conducted. We rely on pattern mining techniques to discover tasks in a monitored enterprise network. A formal description of the identified tasks is provided and events are prioritized and correlated based on this model. The pattern mining based network dependency analysis algorithm is evaluated based on a real-world network and three networks that where created with a network simulator.