Design and Implementation of an Automated Event Log Analysis System based on Event Correlation and Machine Learning
In the past, malware used to integrate multiple malicious functions inside the one executable. So that if there are lots of suspicious functions inside an executable, the antivirus will say it was a malware with high confidence. In order to reduce the attention of anti-virus, hackers separate malicious functions to different processes, such as divide the work in Dropper, Decryptor, Injector, etc. Using a file or a process as the unit to view system security, there will a lot of malicious behavior be ignore. The system proposed in this paper based on event correlation and machine learning classification to understand the behavior of the process on a more comprehensive view and figure out the malicious behavior. The automated analysis of the event log just cost 5 minutes per endpoint every day. Then, the F1-score of binary classification is 99%, and the F1-score of multiclass classification with malware type is 82%.