Causal Connections Mining Within Security Event Logs

Performing both security vulnerability assessment and configuration processes are heavily reliant on expert knowledge. This requirement often results in many systems being left insecure due to a lack of analysis expertise and access to specialist resources. It has long been known that a system's event log provides historical information depicting potential security threats, as well as recording configuration activities. In this paper, a novel technique is developed that can process security event logs on a computer that has been assessed and configured by a security professional, and autonomously establish causality amongst event log entries to learn performed configuration tasks. This extracted knowledge can then be exploited by non-professionals to plan steps that can improve the security of a previously unseen system.