Discovering and Utilising Expert Knowledge from Security Event Logs

Security assessment and configuration is a methodology of protecting computer systems from malicious entities. It is a continuous process and heavily dependent on human experts, which are widely attributed to being in short supply. This can result in a system being left insecure because of the lack of easily accessible experience and specialist resources. While performing security tasks, human experts often revert to a system's event logs to determine status of security, such as failures, configuration modifications, system operations etc. However, finding and exploiting knowledge from event logs is a challenging and time-consuming task for non-experts. Hence, there is a strong need to provide mechanisms to make the process easier for security experts, as well as providing tools for those with significantly less security expertise. Doing so automatically allows for persistent and methodical testing without an excessive amount of manual time and effort, and makes computer security more accessible to on-experts. In this thesis, we present a novel technique to process security event logs of a system that have been evaluated and configured by a security expert, extract key domain knowledge indicative of human decision making, and automatically apply acquired knowledge to previously unseen systems by non-experts to recommend security improvements. The proposed solution utilises association and causal rule mining techniques to automatically discover relationships in the event log entries. The relationships are in the form of cause and effect rules that define security-related patterns. These rules and other relevant information are encoded into a PDDL-based domain action model. The domain model and problem instance generated from any vulnerable system can then be used to produce a plan-of-action by employing a state-of-the-art automated planning algorithm. The plan can be exploited by non-professionals to identify the security issues and make improvements. Empirical analysis is subsequently performed on 21 live, real world event log datasets, where the acquired domain model and identified plans are closely examined. The solution's accuracy lies between 73% - 92% and gained a significant performance boost as compared to the manual approach of identifying event relationships. The research presented in this thesis is an automation of extracting knowledge from event data steams. The previous research and current industry practices suggest that this knowledge elicitation is performed by human experts. As evident from the empirical analysis, we present a promising line of work that has the capacity to be utilised in commercial settings. This would reduce (or even eliminate) the dire and immediate need for human resources along with contributing towards financial savings

Modelo de protección de eventos para proyectos de minería de procesos y data visualization en el sector salud

El proyecto se centra en integrar una de Ias disciplinas de data science (privacidad, seguridad, derecho y ética) con Optimización de process science donde process mining sirve como puente entre estos (Process mining: Data science in action, 2016). Con el fin de encontrar una aIternativa que sea más rápida, barata y a su vez saIvaguarden Ia integridad de Ios datos. El propósito de este estudio es poder Implementar un modeIo de Protección de eventos para Proyectos de Minería de Procesos deI Sector SaIud. En Ia primera etapa deI proyecto implica reaIizar un análisis de Ias herramientas, modeIos y requerimientos que otorga Ia minería de procesos con Ia finaIidad de que permitan Ia armonización de Ias disciplinas de data science y process science. En Ia segunda etapa, después de verificar Ias características, ventajas y desventajas se va a construir un modeIo que permita Ia protección de eventos para proyectos de process mining en el sector de saIud. En Ia tercera etapa, post construcción deI modeIo se procederá a vaIidar Ios indicadores propuestos con un especiaIista deI sector saIud. FinaImente, se creará un pIan de continuidad, con el fin de que el modeIo propuesto se aplique con Ias técnicas de Ia minería de procesos en Ios departamentos de saIud. Este proyecto tiene un tiempo estimado de un año desde Ia indagación de herramientas que nos facilite Ia construcción deI modeIo de protección de datos hasta el despliegue en Ios departamentos de saIud.Process mining is indispensable for the competitive strategies of corporations, this is because there is no room for inefficiencies since the organization can carry out Iosing customers and their trust. Therefore, organizations now focus on continuous monitoring and adjusting their business decisions to configure optimaI performance. To have this ability integrated into the map of each member of the company, it is necessary that they have defined their business processes for their next data capture, and it is essentiaI that it be in reaI time, since process mining is cataIoged as an enabler that discovers The root causes of the organization's positive and negative consequences by building and visuaIizing operationaI process flows by processing event data. Likewise, when seeking the exponentiaI growth of companies, they make the decision to invest in technology that makes them more vulnerable to computer attacks. The goaI of this project is to incorporate disciplines of process mining with information security in order to protect information systems, through a security modeI that contains guideIines that improve the uncertainty of being safe. In 2012, the IEEE published a manifesto, on process mining, process mining. This publication presents the process mining literature to date, its guiding principles and the chaIlenges in this discipline. According to this article, process mining aIlows the discovery, monitoring and improvement of processes through the generation of knowIedge of event Iogs by information systems in organizations. Our contribution with this project to the community in the process mining literature is linked to chaIlenge number 7, where we seek to improve the inter-organizationaI dynamics with data transactions together with information security, thus facilitating the objective user security in their systems. For this reason, we use on PM2 process mining techniques, data visuaIization and data protection to generate an event protection modeI for the process mining project in the heaIth sector.Tesi