G-CAS: Greedy Algorithm-Based Security Event Correlation System for Critical Infrastructure Network

<table class="algorithm-group"><tr><td><table class="algorithm" id="alg2"><tr><td> </td><td><b>Require:</b> the data of security events.</td></tr><tr><td colspan="2"><b> </b><b>Ensure:</b> the security alerts with specific conditions.</td></tr><tr><td>(1)</td><td><b>if</b> Received a security event <b>then</b></td></tr><tr><td>(2)</td><td> Greedy-Tree <svg height="6.27169pt" id="M12" style="vertical-align:-0.04980993pt" version="1.1" viewbox="-0.0498162 -6.22188 18.3548 6.27169" width="18.3548pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M885 230V280H158L260 427L238 442C164 361 93 290 53 255C93 220 164 149 238 68L260 83L158 230H885Z"></path></g><g transform="matrix(.013,0,0,-0.013,9.91,0)"><path d="M567 230V280H69V230H567Z"></path></g></svg> Init the rules.</td></tr><tr><td>(3)</td><td> DataSource classify.</td></tr><tr><td>(4)</td><td> Key-value <svg height="6.27169pt" id="M13" style="vertical-align:-0.04980993pt" version="1.1" viewbox="-0.0498162 -6.22188 18.3548 6.27169" width="18.3548pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M885 230V280H158L260 427L238 442C164 361 93 290 53 255C93 220 164 149 238 68L260 83L158 230H885Z"></path></g><g transform="matrix(.013,0,0,-0.013,9.91,0)"><path d="M567 230V280H69V230H567Z"></path></g></svg> Event-Parse.</td></tr><tr><td>(5)</td><td> LogicMatchers <svg height="6.27169pt" id="M14" style="vertical-align:-0.04980993pt" version="1.1" viewbox="-0.0498162 -6.22188 18.3548 6.27169" width="18.3548pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M885 230V280H158L260 427L238 442C164 361 93 290 53 255C93 220 164 149 238 68L260 83L158 230H885Z"></path></g><g transform="matrix(.013,0,0,-0.013,9.91,0)"><path d="M567 230V280H69V230H567Z"></path></g></svg> Generate Logic Matcher.</td></tr><tr><td>(6)</td><td> <b>for</b><svg height="12.6917pt" id="M15" style="vertical-align:-3.40337pt" version="1.1" viewbox="-0.0498162 -9.28833 76.5217 12.6917" width="76.5217pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M667 0V28C619 34 599 43 546 100C496 154 386 277 311 372C378 440 449 512 488 547C551 605 575 615 650 622V650H410V622L433 619C478 614 479 604 449 568C404 513 337 443 282 390C254 364 234 350 212 345V520C212 609 222 616 299 622V650H41V622C120 616 128 611 128 520V128C128 41 120 34 44 28V0H304V28C221 34 212 41 212 128V318C229 321 242 318 266 291C355 185 436 87 514 0H667Z"></path></g><g transform="matrix(.013,0,0,-0.013,8.436,0)"><path d="M380 106C343 72 306 56 265 56C195 56 116 112 115 248C235 252 361 262 377 265C396 269 400 277 400 297C400 374 333 449 250 449H249C198 449 144 421 103 376S37 269 37 201C37 88 109 -12 232 -12C263 -12 332 6 395 84L380 106ZM225 412C281 412 315 364 314 312C314 297 308 292 290 292C232 290 176 289 120 289C135 370 180 412 225 412Z"></path></g><g transform="matrix(.013,0,0,-0.013,14.065,0)"><path d="M478 437H297V411C355 404 361 392 349 355C329 292 285 174 257 106L167 356C153 394 158 404 205 411L204 437H2V411C57 404 66 391 88 336C117 265 162 144 202 30C208 13 209 0 204 -15C199 -28 191 -49 173 -84C149 -128 130 -153 98 -172C81 -184 73 -193 73 -209C73 -233 101 -257 129 -257C143 -257 156 -252 161 -232C175 -179 197 -122 264 38C333 203 364 286 390 339C417 395 425 403 478 411V437Z"></path></g><rect height="0.3985" width="3.91466" x="20.891" y="-0.3985"></rect><g transform="matrix(.013,0,0,-0.013,24.806,0)"><path d="M244 607C244 633 228 655 200 655C166 655 146 618 146 594C146 564 166 546 191 546C221 546 244 574 244 607ZM222 91L209 114C184 94 148 66 133 66C127 66 124 73 130 96L201 370C213 416 211 448 191 448C162 448 88 407 29 352L42 328C73 354 104 371 114 371C120 371 119 365 115 345L53 92C32 5 45 -12 68 -12C103 -12 186 50 222 91Z"></path></g><g transform="matrix(.013,0,0,-0.013,31.987,0)"><path d="M448 1V51H364C248 51 153 129 140 230H448V280H140C153 381 248 459 364 459H448V509H365C208 509 80 395 80 255S208 1 365 1H448Z"></path></g><g transform="matrix(.013,0,0,-0.013,42.483,0)"><path d="M290 -163V-135C183 -126 181 -122 181 -44V583C181 662 184 666 290 675V703H120V-163H290Z"></path></g><g transform="matrix(.013,0,0,-0.013,46.968,0)"><path d="M667 0V28C619 34 599 43 546 100C496 154 386 277 311 372C378 440 449 512 488 547C551 605 575 615 650 622V650H410V622L433 619C478 614 479 604 449 568C404 513 337 443 282 390C254 364 234 350 212 345V520C212 609 222 616 299 622V650H41V622C120 616 128 611 128 520V128C128 41 120 34 44 28V0H304V28C221 34 212 41 212 128V318C229 321 242 318 266 291C355 185 436 87 514 0H667Z"></path></g><g transform="matrix(.013,0,0,-0.013,55.403,0)"><path d="M380 106C343 72 306 56 265 56C195 56 116 112 115 248C235 252 361 262 377 265C396 269 400 277 400 297C400 374 333 449 250 449H249C198 449 144 421 103 376S37 269 37 201C37 88 109 -12 232 -12C263 -12 332 6 395 84L380 106ZM225 412C281 412 315 364 314 312C314 297 308 292 290 292C232 290 176 289 120 289C135 370 180 412 225 412Z"></path></g><g transform="matrix(.013,0,0,-0.013,61.033,0)"><path d="M478 437H297V411C355 404 361 392 349 355C329 292 285 174 257 106L167 356C153 394 158 404 205 411L204 437H2V411C57 404 66 391 88 336C117 265 162 144 202 30C208 13 209 0 204 -15C199 -28 191 -49 173 -84C149 -128 130 -153 98 -172C81 -184 73 -193 73 -209C73 -233 101 -257 129 -257C143 -257 156 -252 161 -232C175 -179 197 -122 264 38C333 203 364 286 390 339C417 395 425 403 478 411V437Z"></path></g><g transform="matrix(.013,0,0,-0.013,67,0)"><path d="M319 325C317 349 306 409 297 431C277 440 250 449 209 449C117 449 57 389 57 319C57 243 122 209 182 182C232 159 261 135 261 91C261 48 227 21 190 21C130 21 85 79 68 145L41 140C41 104 51 36 58 22C75 7 121 -12 172 -12C252 -12 337 35 337 126C337 195 286 231 210 262C166 281 126 304 126 348C126 388 152 417 191 417C240 417 274 378 294 318L319 325Z"></path></g><g transform="matrix(.013,0,0,-0.013,71.865,0)"><path d="M226 -163V703H56V676C162 667 165 662 165 584V-43C165 -122 162 -126 56 -136V-163H226Z"></path></g></svg><b>do</b></td></tr><tr><td>(7)</td><td>  Meta-Match with tree structure.</td></tr><tr><td>(8)</td><td>  Optimized in the greedy tree.</td></tr><tr><td>(9)</td><td> <b>end for</b></td></tr><tr><td>(10)</td><td> <b>for</b><svg height="12.7178pt" id="M16" style="vertical-align:-3.42947pt" version="1.1" viewbox="-0.0498162 -9.28833 183.208 12.7178" width="183.208pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M495 163C480 117 462 85 444 65C421 39 387 34 332 34C290 34 256 36 236 47C218 57 213 77 213 131V526C213 612 222 616 301 622V650H40V622C122 616 128 611 128 526V126C128 41 120 34 36 28V0H489C498 31 519 126 525 157L495 163Z"></path></g><g transform="matrix(.013,0,0,-0.013,7.111,0)"><path d="M257 449C165 449 37 374 37 209C37 98 119 -12 256 -12C355 -12 473 65 473 226C473 349 381 449 257 449ZM244 416C333 416 380 320 380 204C380 67 329 21 267 21C184 21 130 115 130 241C130 354 184 416 244 416Z"></path></g><g transform="matrix(.013,0,0,-0.013,13.742,0)"><path d="M463 437C426 431 375 425 327 422C297 440 264 449 231 449H230C153 449 51 396 51 283C51 215 94 168 139 149C123 129 91 103 51 88C50 78 53 60 62 46C75 25 100 2 136 -9C112 -28 73 -59 53 -79C38 -94 29 -113 29 -135C30 -192 91 -257 203 -257C336 -257 452 -160 452 -59C452 39 371 59 309 59C275 59 240 58 203 58C158 58 140 77 140 96C140 110 157 129 170 138C186 135 205 133 221 133C306 133 396 185 396 293C396 328 384 360 366 381L423 378C439 387 459 413 468 429L463 437ZM219 418C277 418 314 362 314 284C314 205 275 166 231 165C176 165 137 221 137 299C137 376 177 418 219 418ZM241 -11C285 -11 314 -14 339 -24C367 -36 384 -61 384 -95C384 -157 335 -206 240 -206C166 -206 108 -165 108 -110C108 -82 128 -54 154 -32C172 -17 195 -11 241 -11Z"></path></g><g transform="matrix(.013,0,0,-0.013,19.891,0)"><path d="M135 536C164 536 186 560 186 587C186 617 164 639 136 639C109 639 85 617 85 587C85 560 109 536 135 536ZM252 0V26C188 32 181 38 181 106V451C138 433 90 420 39 412V388C99 379 102 374 102 312V106C102 38 95 32 32 26V0H252Z"></path></g><g transform="matrix(.013,0,0,-0.013,23.375,0)"><path d="M390 111C344 68 312 56 269 56C212 56 118 102 118 241C118 346 175 401 241 401C277 401 312 388 342 360C350 352 355 349 361 349C372 349 394 371 394 392C394 403 391 411 378 422C362 436 329 449 288 449H287C250 449 190 432 138 392C71 341 37 274 37 197C37 90 112 -12 238 -12C297 -12 363 32 407 90L390 111Z"></path></g><g transform="matrix(.013,0,0,-0.013,28.874,0)"><path d="M861 0V28C774 35 771 41 768 147L759 509C756 612 762 614 851 622V650H681L449 149L221 650H57V622C148 613 153 609 144 479L130 271C123 166 117 123 111 88C104 46 85 34 26 28V0H259V28C192 35 169 42 167 90C166 130 166 173 170 256L185 541H187L411 7H431L675 555H679L683 147C683 41 680 35 598 28V0H861Z"></path></g><g transform="matrix(.013,0,0,-0.013,40.235,0)"><path d="M433 39L423 65C413 59 399 54 387 54C370 54 352 69 352 114V299C352 352 342 392 307 422C285 440 255 449 225 449C168 437 102 399 75 379C56 365 44 353 44 339C44 315 69 296 87 296C101 296 111 303 116 319C124 349 133 371 145 385C156 397 171 404 190 404C241 404 275 364 275 291V274C253 256 180 229 120 209C65 190 39 159 39 110C39 47 88 -12 159 -12C189 -12 237 25 277 52C282 35 288 21 301 8C312 -3 333 -12 348 -12L433 39ZM275 84C256 65 221 48 195 48C164 48 124 73 124 124C124 161 146 180 185 198C206 208 254 229 275 240V84Z"></path></g><g transform="matrix(.013,0,0,-0.013,45.694,0)"><path d="M298 36L289 62C276 55 253 45 228 45C202 45 169 60 169 141V397H276C289 405 292 426 282 437H169V574L155 576L90 509V437H45L17 408L21 397H90V107C90 28 125 -12 188 -12C198 -12 213 -8 230 1L298 36Z"></path></g><g transform="matrix(.013,0,0,-0.013,49.581,0)"><path d="M390 111C344 68 312 56 269 56C212 56 118 102 118 241C118 346 175 401 241 401C277 401 312 388 342 360C350 352 355 349 361 349C372 349 394 371 394 392C394 403 391 411 378 422C362 436 329 449 288 449H287C250 449 190 432 138 392C71 341 37 274 37 197C37 90 112 -12 238 -12C297 -12 363 32 407 90L390 111Z"></path></g><g transform="matrix(.013,0,0,-0.013,55.001,0)"><path d="M513 0V26C455 31 447 37 447 103V278C447 398 390 449 309 449C255 449 202 412 166 376V712C127 700 67 684 19 677V653C85 647 87 643 87 580V103C87 37 79 31 19 26L18 0H231V26C171 32 166 39 166 103V341C194 373 232 392 270 392C337 392 368 351 368 269V103C368 38 360 32 302 26V0H513Z"></path></g><g transform="matrix(.013,0,0,-0.013,61.891,0)"><path d="M380 106C343 72 306 56 265 56C195 56 116 112 115 248C235 252 361 262 377 265C396 269 400 277 400 297C400 374 333 449 250 449H249C198 449 144 421 103 376S37 269 37 201C37 88 109 -12 232 -12C263 -12 332 6 395 84L380 106ZM225 412C281 412 315 364 314 312C314 297 308 292 290 292C232 290 176 289 120 289C135 370 180 412 225 412Z"></path></g><g transform="matrix(.013,0,0,-0.013,67.416,0)"><path d="M181 342V451C133 431 89 419 40 411V388C98 381 102 377 102 311V104C102 38 95 32 33 26V0H263V26C186 32 181 38 181 104V287C203 343 235 372 261 372C277 372 289 366 304 352C310 346 318 345 330 350C349 359 362 379 362 399C362 422 338 449 304 449C256 449 213 393 183 342H181Z"></path></g><rect height="0.3985" width="3.91466" x="73.2948" y="-0.3985"></rect><g transform="matrix(.013,0,0,-0.013,77.209,0)"><path d="M394 607C394 634 378 655 350 655C315 655 294 620 294 594C294 564 314 546 339 546C372 546 394 574 394 607ZM360 349C373 414 374 448 351 448C321 448 249 404 183 338L197 313C223 336 265 367 276 367C285 367 283 355 275 313C241 129 220 23 189 -102C175 -158 153 -197 124 -197C106 -197 85 -187 70 -177C64 -173 51 -177 44 -183C34 -193 23 -209 23 -228C23 -244 46 -261 67 -261C86 -261 127 -245 181 -197C237 -147 279 -52 303 66L360 349Z"></path></g><g transform="matrix(.013,0,0,-0.013,86.342,0)"><path d="M448 1V51H364C248 51 153 129 140 230H448V280H140C153 381 248 459 364 459H448V509H365C208 509 80 395 80 255S208 1 365 1H448Z"></path></g><g transform="matrix(.013,0,0,-0.013,96.837,0)"><path d="M290 -163V-135C183 -126 181 -122 181 -44V583C181 662 184 666 290 675V703H120V-163H290Z"></path></g><g transform="matrix(.013,0,0,-0.013,101.322,0)"><path d="M495 163C480 117 462 85 444 65C421 39 387 34 332 34C290 34 256 36 236 47C218 57 213 77 213 131V526C213 612 222 616 301 622V650H40V622C122 616 128 611 128 526V126C128 41 120 34 36 28V0H489C498 31 519 126 525 157L495 163Z"></path></g><g transform="matrix(.013,0,0,-0.013,108.434,0)"><path d="M257 449C165 449 37 374 37 209C37 98 119 -12 256 -12C355 -12 473 65 473 226C473 349 381 449 257 449ZM244 416C333 416 380 320 380 204C380 67 329 21 267 21C184 21 130 115 130 241C130 354 184 416 244 416Z"></path></g><g transform="matrix(.013,0,0,-0.013,115.064,0)"><path d="M463 437C426 431 375 425 327 422C297 440 264 449 231 449H230C153 449 51 396 51 283C51 215 94 168 139 149C123 129 91 103 51 88C50 78 53 60 62 46C75 25 100 2 136 -9C112 -28 73 -59 53 -79C38 -94 29 -113 29 -135C30 -192 91 -257 203 -257C336 -257 452 -160 452 -59C452 39 371 59 309 59C275 59 240 58 203 58C158 58 140 77 140 96C140 110 157 129 170 138C186 135 205 133 221 133C306 133 396 185 396 293C396 328 384 360 366 381L423 378C439 387 459 413 468 429L463 437ZM219 418C277 418 314 362 314 284C314 205 275 166 231 165C176 165 137 221 137 299C137 376 177 418 219 418ZM241 -11C285 -11 314 -14 339 -24C367 -36 384 -61 384 -95C384 -157 335 -206 240 -206C166 -206 108 -165 108 -110C108 -82 128 -54 154 -32C172 -17 195 -11 241 -11Z"></path></g><g transform="matrix(.013,0,0,-0.013,121.213,0)"><path d="M135 536C164 536 186 560 186 587C186 617 164 639 136 639C109 639 85 617 85 587C85 560 109 536 135 536ZM252 0V26C188 32 181 38 181 106V451C138 433 90 420 39 412V388C99 379 102 374 102 312V106C102 38 95 32 32 26V0H252Z"></path></g><g transform="matrix(.013,0,0,-0.013,124.697,0)"><path d="M390 111C344 68 312 56 269 56C212 56 118 102 118 241C118 346 175 401 241 401C277 401 312 388 342 360C350 352 355 349 361 349C372 349 394 371 394 392C394 403 391 411 378 422C362 436 329 449 288 449H287C250 449 190 432 138 392C71 341 37 274 37 197C37 90 112 -12 238 -12C297 -12 363 32 407 90L390 111Z"></path></g><g transform="matrix(.013,0,0,-0.013,130.196,0)"><path d="M861 0V28C774 35 771 41 768 147L759 509C756 612 762 614 851 622V650H681L449 149L221 650H57V622C148 613 153 609 144 479L130 271C123 166 117 123 111 88C104 46 85 34 26 28V0H259V28C192 35 169 42 167 90C166 130 166 173 170 256L185 541H187L411 7H431L675 555H679L683 147C683 41 680 35 598 28V0H861Z"></path></g><g transform="matrix(.013,0,0,-0.013,141.557,0)"><path d="M433 39L423 65C413 59 399 54 387 54C370 54 352 69 352 114V299C352 352 342 392 307 422C285 440 255 449 225 449C168 437 102 399 75 379C56 365 44 353 44 339C44 315 69 296 87 296C101 296 111 303 116 319C124 349 133 371 145 385C156 397 171 404 190 404C241 404 275 364 275 291V274C253 256 180 229 120 209C65 190 39 159 39 110C39 47 88 -12 159 -12C189 -12 237 25 277 52C282 35 288 21 301 8C312 -3 333 -12 348 -12L433 39ZM275 84C256 65 221 48 195 48C164 48 124 73 124 124C124 161 146 180 185 198C206 208 254 229 275 240V84Z"></path></g><g transform="matrix(.013,0,0,-0.013,147.016,0)"><path d="M298 36L289 62C276 55 253 45 228 45C202 45 169 60 169 141V397H276C289 405 292 426 282 437H169V574L155 576L90 509V437H45L17 408L21 397H90V107C90 28 125 -12 188 -12C198 -12 213 -8 230 1L298 36Z"></path></g><g transform="matrix(.013,0,0,-0.013,150.903,0)"><path d="M390 111C344 68 312 56 269 56C212 56 118 102 118 241C118 346 175 401 241 401C277 401 312 388 342 360C350 352 355 349 361 349C372 349 394 371 394 392C394 403 391 411 378 422C362 436 329 449 288 449H287C250 449 190 432 138 392C71 341 37 274 37 197C37 90 112 -12 238 -12C297 -12 363 32 407 90L390 111Z"></path></g><g transform="matrix(.013,0,0,-0.013,156.324,0)"><path d="M513 0V26C455 31 447 37 447 103V278C447 398 390 449 309 449C255 449 202 412 166 376V712C127 700 67 684 19 677V653C85 647 87 643 87 580V103C87 37 79 31 19 26L18 0H231V26C171 32 166 39 166 103V341C194 373 232 392 270 392C337 392 368 351 368 269V103C368 38 360 32 302 26V0H513Z"></path></g><g transform="matrix(.013,0,0,-0.013,163.214,0)"><path d="M380 106C343 72 306 56 265 56C195 56 116 112 115 248C235 252 361 262 377 265C396 269 400 277 400 297C400 374 333 449 250 449H249C198 449 144 421 103 376S37 269 37 201C37 88 109 -12 232 -12C263 -12 332 6 395 84L380 106ZM225 412C281 412 315 364 314 312C314 297 308 292 290 292C232 290 176 289 120 289C135 370 180 412 225 412Z"></path></g><g transform="matrix(.013,0,0,-0.013,168.739,0)"><path d="M181 342V451C133 431 89 419 40 411V388C98 381 102 377 102 311V104C102 38 95 32 33 26V0H263V26C186 32 181 38 181 104V287C203 343 235 372 261 372C277 372 289 366 304 352C310 346 318 345 330 350C349 359 362 379 362 399C362 422 338 449 304 449C256 449 213 393 183 342H181Z"></path></g><g transform="matrix(.013,0,0,-0.013,173.483,0)"><path d="M319 325C317 349 306 409 297 431C277 440 250 449 209 449C117 449 57 389 57 319C57 243 122 209 182 182C232 159 261 135 261 91C261 48 227 21 190 21C130 21 85 79 68 145L41 140C41 104 51 36 58 22C75 7 121 -12 172 -12C252 -12 337 35 337 126C337 195 286 231 210 262C166 281 126 304 126 348C126 388 152 417 191 417C240 417 274 378 294 318L319 325Z"></path></g><g transform="matrix(.013,0,0,-0.013,178.545,0)"><path d="M226 -163V703H56V676C162 667 165 662 165 584V-43C165 -122 162 -126 56 -136V-163H226Z"></path></g></svg><b>do</b></td></tr><tr><td>(11)</td><td>  Logical-Match based on the greedy algorithm.</td></tr><tr><td>(12)</td><td>  Optimized in the greedy tree.</td></tr><tr><td>(13)</td><td> <b>end for</b></td></tr><tr><td>(14)</td><td> Frequency-Statistic.</td></tr><tr><td>(15)</td><td> Threshold-Compare.</td></tr><tr><td>(16)</td><td> Alert-Formed.</td></tr><tr><td>(17)</td><td><b>end if</b></td></tr><tr><td>(18)</td><td><b>return</b> Alerts.</td></tr></table></td></tr></table>

Security and Communication Networks

alg2

Algorithm 2

Algorithm 2: G-CAS: Greedy Algorithm-Based Security Event Correlation System for Critical Infrastructure Network 