Home » Node » 18877

Design and Implementation of an Automated Event Log Analysis System based on Event Correlation and Machine Learning

Prof. Chu-Sing Yang
Data dell'evento: 
Tuesday, 15 October, 2019 - 10:30
Lazzeretti Riccardo

In the past, malware used to integrate multiple malicious functions inside the one executable. So that if there are lots of suspicious functions inside an executable, the antivirus will say it was a malware with high confidence. In order to reduce the attention of anti-virus, hackers separate malicious functions to different processes, such as divide the work in Dropper, Decryptor, Injector, etc. Using a file or a process as the unit to view system security, there will a lot of malicious behavior be ignore. The system proposed in this paper based on event correlation and machine learning classification to understand the behavior of the process on a more comprehensive view and figure out the malicious behavior. The automated analysis of the event log just cost 5 minutes per endpoint every day. Then, the F1-score of binary classification is 99%, and the F1-score of multiclass classification with malware type is 82%.

gruppo di ricerca: 
© Università degli Studi di Roma "La Sapienza" - Piazzale Aldo Moro 5, 00185 Roma