METHOD FOR DETECTION OF CYBER INCIDENTS IN SIEM BASED ON FUZZY HYPERGRAPHIC REPRESENTATION OF SECURITY EVENTS AND LINEAR INCIDENT MODEL
DOI:
https://doi.org/10.31673/2412-4338.2026.029105Abstract
The article proposes a method for detecting cyber incidents in event logs of security information and event management systems (SIEM), which is based on a fuzzy hypergraph representation of security events and the use of a linear model of event incidence - the belonging of a security event to a cyber incident. Unlike traditional approaches that use strict correlation rules (signature analysis) or simple statistical thresholds, the proposed method allows taking into account the multi-entity nature of events, their structural relationships and interpretation uncertainty. The approach is based on the representation of security events in the form of weighted hyperedges that connect a set of information infrastructure entities (users, hosts, processes, IP addresses and cyberattack techniques). For each event, the local incidence is calculated based on a linear model that aggregates such characteristics as the level of anomaly (deviation from basic behavior), the criticality of security rule triggering, contextual coherence, semantic significance, and historical suspiciousness of the entity. The process of detecting a cyber incident is implemented by searching for connected substructures in the hypergraph, which are formed based on the temporal proximity of events and the non-trivial intersection of the sets of their entities. A cyber incident within the method is interpreted as a connected substructure in the hypergraph of security events, for which the aggregated incidence exceeds a given threshold value. The proposed method provides a systematic transition from isolated analysis of individual events to holistic detection of structurally related sets of security events corresponding to the development of a cyber attack. The scientific novelty of the obtained result lies in the combination of a linear event incidence model with a hypergraph correlation of security events and the formalization of a cyber incident as a connected substructure in a fuzzy hypergraph.
Keywords: cyber defense, SIEM, cyber incident, fuzzy hypergraph, event correlation, event incidence.