Graph-Based Correlation Method for Information Security Incidents with Automatic Construction of Attack Chains

Authors: Dolgachev M. V., Kostyunin V. A.

Annotation: This paper presents a method for automated correlation of information security incidents originating from various security tools (SIEM, EDR, NTA) based on graph models. The proposed approach considers the severity of incidents according to CVSS (Common Vulnerability Scoring System) metrics, the prioritization of MITRE ATT&CK techniques, and the temporal proximity of events. To filter out secondary entities, a TF-IDF algorithm is applied. The method implements graph-based incident correlation with automatic construction of attack chains while minimizing analyst involvement, thereby increasing accuracy and reducing the number of false-positive connections. The effectiveness of the method was validated through experiments in an isolated cyber laboratory: automated correlation reduced analysis time by 99,82% compared to manual processing. The results demonstrate the potential of using graph structures in cybersecurity systems.

Keywords: incident analysis, auto-mated analysis, tf-idf, mitre att&ck, cvss, nta, edr, siem, soc, information security, incident correlation, graph models