A survey on artificial intelligence techniques for security event correlation: models, challenges, and opportunities

Information systems need to process a large amount of event monitoring data. The process of finding the relationships between events is called correlation, which creates a context between independent events and previously collected information in real time and normalizes it for subsequent processing. In cybersecurity, events can determine the steps of attackers and can be analyzed as part of a specific attack strategy. In this survey, we present the systematization of security event correlation models in terms of their representation in AI-based monitoring systems as: rule-based, semantic, graphical and machine learning based-models. We define the main directions of current research in the field of AI-based security event correlation and the methods used for the correlation of both single events and their sequences in attack scenarios. We also describe the prospects for the development of hybrid correlation models. In conclusion, we identify the existing problems in the field and possible ways to overcome them.