Security Log Analysis in Critical Industrial Systems Exploiting Game Theoretic Feature Selection and Evidence Combination

Abstract

Critical industrial systems have become profitable targets for cyber-attackers. Practitioners and administrators rely on a variety of data sources to develop security situation awareness at runtime. In spite of the advances in security information and event management products and services for handling heterogeneous data sources, analysis of proprietary logs generated by industrial systems keeps posing many challenges due to the lack of standard practices, formats, and threat models. This article addresses log analysis to detect anomalies, such as failures and misuse, in a critical industrial system. We conduct our study with a real-life system by a top leading industry provider in the air traffic control domain. The system emits massive volumes of highly-unstructured proprietary textual logs at runtime. We propose to extract quantitative metrics from logs and to detect anomalies by means of game theoretic feature selection and evidence combination. Experiments indicate that the proposed approach achieves high precision and recall at small tuning efforts.