Automatic Classification of Security Events
IBM QRadar needs to be able to categorize events generated by hundreds of different network devices in order to function as a Security Information and Event Management (SIEM). This categorization is currently a manual process and our aim is to automate this task. We have a database of over 579,000 events coming from over 300 devices that have been manually classified over the years. We also have the classification categories: 18 high level categories, broken down into 500+ subcategories; these categories broadly correspond to security threats.
The goal of this research is to use this database to develop a model that can then be used to assist in the classification of future events as new devices, or new versions of existing devices, are introduced.
Each “event” is parsed by QRadar’s “Device Support Module” (DSM), which outputs a unique identifier along with other useful information e.g. Source / Destination IP/Port, event generated time, user responsible for generating the event, and so on.