Method of Cryptographically Resilient Event Correlation in SIEM Based on Risk-Oriented Assessment and Context-Hashed Similarity

Kostiuk, Yuliia та Skladannyi, Pavlo та Bondarchuk, Andrii та Hnatchenko, Dmytro (2026) Method of Cryptographically Resilient Event Correlation in SIEM Based on Risk-Oriented Assessment and Context-Hashed Similarity Information and Telecommunication Sciences, 17 (1). с. 36-50. ISSN 2411-2976

Текст Kostiuk_Y_Skladannyi_P_Bondarchuk_A_Hnatchenko_D_ІTS_17_1_2026_FITM.pdf Download (1MB)

Анотація

Background. The rapid growth of telemetry and event logs in corporate and public-sector information and communication systems complicates the formation of reliable incidents in SIEM platforms. Traditional correlation methods that rely on fixed rules, temporal windows, and heuristic similarity standards fall short in the face of evolving threats and fail to consider the risk context associated with assets. In addition, correlation is vulnerable to log manipulation (log injection, partial context modification, timestamp distortion), which can generate false incidents or conceal multi-stage attacks and overload SOC operations. Objective. This paper aims to develop a cryptographically resilient SIEM event-correlation method based on risk-oriented assessment and context-hashed similarity, improving the trustworthiness of incident formation and ensuring robustness against injection, substitution, and partial compromise of event logs. Methods. We formalise a security event as a structured object comprising context, temporal parameters, and risk, and propose normalisation and canonicalisation procedures for context features with a fixed ordering. To protect context, we employ a context-hashed representation with multi-level fingerprints mceclip0.png. Event similarity is defined via a cryptographically resilient fingerprint-matching metric, while correlation is computed using an integral indicator Corr that combines contextual similarity with the risk significance of events. A time-window correlation algorithm with a threshold-based decision rule is constructed. Results. The proposed method combines cryptographically protected context similarity with risk-oriented assessment, providing resilience to context and log manipulation. We develop a threat model for SIEM alerts as correlation objects and a mapping table “attack class → impact → mitigation mechanism.” Simulation experiments in a corporate environment confirm a reduced false-incident rate and improved correlation precision while maintaining comparable incident-detection recall; robustness is demonstrated under log injection, partial tampering, and timestamp shift scenarios. In practice, the method can be integrated as a correlation module into existing SIEM platforms without substantial architectural redesign. Conclusions. Integrating context-hashed representations with risk-oriented correlation yields a cryptographically resilient mechanism for automated incident formation in SIEM, mitigates alert flooding, and increases SOC trust in correlation outcomes under dynamic threats. Future work should focus on adaptive tuning of α and θ using SOC feedback and ML-based models, as well as expanding experimental validation on real industrial data.

Тип елементу :	Стаття
Ключові слова:	SIEM; correlation; incidents; cryptographic resilience; hashing; risk; security monitoring; logs; SOC; anomalies
Типологія:	Статті у періодичних виданнях > Фахові (входять до переліку фахових, затверджений МОН)
Підрозділи:	Факультет інформаційних технологій та математики > Кафедра інформаційної та кібернетичної безпеки ім. професора Володимира Бурячка
Користувач, що депонує:	Павло Миколайович Складанний
Дата внесення:	22 Черв 2026 12:49
Останні зміни:	22 Черв 2026 12:49
URI:	https://elibrary.kubg.edu.ua/id/eprint/58297

Actions (login required)

Перегляд елементу