Automated root cause identification of security alerts: Evaluation in a SaaS Cloud

• A framework to support the analysis of security alerts.
• Adoption of term weighting and clustering techniques.
• Root causes classification.
• Evaluation of real-world security datasets collected in a SaaS Cloud.

The analysis of the security alerts collected during the system operations is a crucial task to initiate effective responses against attacks and intentional system misuse. A variety of monitors are today available to generate security alerts, such as intrusion detection systems, network audit, vulnerability scans, and event logs. While the amount of alerts generated by the security monitors represents a goldmine of information, the ever-increasing volume and heterogeneity of the collected alerts pose a major threat to timely security analysis and forensic activities conducted by the operations team.This paper proposes a framework consisting of a filter and a decision tree to address large volumes of security alerts and to support the automated identification of the root causes of the alerts. The framework adopts both term weighting and conceptual clustering approaches to fill the gap between the unstructured textual alerts and the formalization of the decision tree. We evaluated the framework by analyzing two security datasets in a production SaaS Cloud, which generates an average volume of 800 alerts/day. The framework significantly reduced the volume of alerts and inferred the root causes of around 98.8% of alerts with no human intervention with respect to the datasets available in this study. More important, we leveraged the output of the framework to provide a classification of the root causes of the alerts in the target SaaS Cloud.