Automated root cause identification of security alerts: Evaluation in a SaaS Cloud

The analysis of the security alerts collected during the system operations is a crucial task to initiate effective responses against attacks and intentional system misuse. A variety of monitors are today available to generate security alerts, such as intrusion detection systems, network audit, vulnerability scans, and event logs. While the amount of alerts generated by the security monitors represents a goldmine of information, the ever-increasing volume and heterogeneity of the collected alerts pose a major threat to timely security analysis and forensic activities conducted by the operations team.