Applying process mining to improve microservices cyber security situational awareness.

Abstract

Cyber Security Incident Response Teams (CSIRTs) for enterprise networks are often overwhelmed by newer, more sophisticated forms of cyber attack. Improved cyber security techniques are in high demand. At present, microservices are emerging as the dominant software design architecture for many applications [1]. The main research question for this research project is: “In what ways can business processes mining improve the detection of cyber security attacks in a microservices-based domain?” Anomaly detection systems generate alerts for suspicious behaviour in software systems and CSIRTs require the means to prioritise these alerts and identify those that pose the greater threat to their microservices-based applications. The mining of business processes is a methodology that extracts knowledge from application log data and outputs the information in the form of process models. Previous research highlights that the discovery of process mining models is a popular topic in the field of cybersecurity, having been used to discover forms of cyber attack strategies in a log of intrusion alerts [2], and uncovering process anomalies in cyber security processes.