ISSN 0021-3454 (print version)
ISSN 2500-0381 (online version)

vol 63 / August, 2020

DOI 10.17586/0021-3454-2018-61-11-997-1004

UDC 004.056


A. V. Fedorchenko
St. Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences, Laboratory of Computer Security Problems; Junior Scientist

Read the full article 

Abstract. The field of event correlation for systems of security information and event management systems is investigated. The purpose of the research is to determine the types of information objects by analyzing the security event log of the infrastructure under study. A correlation approach based on definition of relationships between equivalent events properties by their mutual utilizing is proposed. The study of revealed relationships results in definition of the analyzed infrastructure in the form of types of high-level objects. Results of an experiment on the structural analysis of the Windows security events log are presented. The cases of unstable work of the proposed approach and their possible causes are described. The evaluation and interpretation of the obtained results testifying to the possibility of application of the presented approach in practice are given
Keywords: security events, events correlation, structural data analysis, security monitoring, SIEM-systems

  1. Kotenko I.V., Chechulin A.A. Proc. of 5th Intern. Conf. on Cyber Conflict (CyCon 2013), 2013, рp. 119–142.
  2. Kotenko I.V., Polubelova O.V., Saenko I.B. Proc. 2012 IEEE Intern. Conf. on Green Computing and Communications, Conference on Internet of Things, and Conference on Cyber, Physical and Social Computing, 2012, рр. 761–766.
  3. Doynikova E.V., Kotenko I.V. Informatsionno-upravliaiushchie sistemy (Information and Control Systems), 2016, no. 5, pp. 54–65. (in Russ.)
  4. Kotenko I.V., Doynikova E.V. Informatsionno-upravliaiushchie sistemy (Information and Control Systems), 2015, no. 3, pp. 60–69. (in Russ.)
  5. Kruegel C., Valeur F., Vigna G. Intrusion Detection and Correlation: Challenges and Solutions, Springer, 2004.
  6. Fedorchenko A.V., Levshun D.S., Chechulin A.A., Kotenko I.V. Trudy SPIIRAN (SPIIRAS Proceedings), 2016, no. 47, pp. 5–27. (in Russ.)
  7. Muller A. Event Correlation Engine, Master`s Thesis, Swiss Federal Institute of Technology, Zurich, 2009, 165 p.
  8. Limmer T., Dressler F. Survey of Event Correlation Techniques for Attack Detection in Early Warning Systems, Tech. report, University of Erlangen, Germany, 2008, 37 p.
  9. Fedorchenko A.V., Levshun D.S., Chechulin A.A., Kotenko I.V. Trudy SPIIRAN (SPIIRAS Proceedings), 2016, no. 49, pp. 208–225. (in Russ.)
  10. Sadoddin R., Ghorbani A. Proc. of the Intern. Conf. on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (PST`06), 2006, Art. no. 37.
  11. Ning P., Xu D. Intrusion Detection Systems: series Advances in Information Security, 2008, vol. 38, рp. 65–92.
  12. Ghorbani A.A., Lu W., Tavallaee M. Network Intrusion Detection and Prevention, Springer, 2010, 224 p.
  13. Hasan M.A. Proc. of the 6th IFIP/IEEE Intern. Symp. on Integrated Network Management, 1999, рр. 233–246.
  14. Zurutuza U., Uribeetxeberria R. Proc. of IADAT Intern. Conf. on Telecommunications and Computer Networks, 2004, рp. 1–3.
  15. Guerer D.W., Khan I., Ogler R., Keffer R. An Artificial Intelligence Approach to Network Fault Management, SRI International, CA, USA, 1996, 10 p.
  16. Elshoush H.T., Osman I.M. Applied Soft Computing, 2011, рp. 4349–4365.
  17. Windows Security Log Events, Default.aspx.