Contextual filtering and prioritization of computer application logs for security situational awareness

Abstract

Critical computer systems strongly rely on event logs to record the occurrence of normative and anomalous events occurring at runtime. In spite of the advances in Security Information and Event Management for handling monitoring data in production, event logs remain quite underutilized with respect to more conventional security data sources. Eliciting actionable knowledge for situational awareness poses many challenges in the case of logs emitted by industrial systems due to the lack of standard practices, formats and threat models.This paper addresses log analysis in a critical industrial system. We conduct our study with a real-life system by a top leading company in the Air Traffic Control domain, which emits massive volumes of unstructured proprietary logs. We propose a filtering method that pinpoints interesting events from logs, i.e., events that should be followed up by analysts. Experiments are done with logs from normative and misuse scenarios; moreover, we compare the outcome of our method with a reference filtering technique based on the conceptual clustering. Results indicate that the proposed method is effective to retain interesting events at remarkable precision and recall and to pinpoint misuse indicators. We overcome several drawbacks of existing filtering techniques, such as the need for labeled logs and domain knowledge, which makes our method easier to use by practitioners.