In industrial installations, such as automation installations for producing economic goods or installations for generating power or power distribution systems, for example, computation apparatuses, such as e.g. what are known as field devices or other control devices, are connected to one another by a communication network. This communication network is used to interchange measurement and control data between the computation apparatuses or to distribute control or administration messages from a superordinate control level to the individual computation apparatuses. Security event management and security information monitoring systems are used to centrally store and manage security protocol data that arise in distributed computer infrastructures of this kind too. Analysis of these data identifies security-relevant events and reports them to a monitoring center.
Typical examples of security-relevant events of this kind are failed registration attempts, connections by a computer to “malicious” or “suspicious” websites, network scans originating from a computation apparatus, and the like. So that a human analyst, for example personnel for installation monitoring, can react to the reported events in the right way, categorization into innocent or malicious events is necessary. Although typical security event management and security information management systems frequently implement algorithms for such categorization, an explicit association solely on the basis of the available data is not possible in many cases. In other cases, innocent events are erroneously associated as malicious or vice versa, what are known as “false positive” events or “false negative” events.
In cases in which an explicit association is not possible, time-consuming follow-up examinations, such as e.g. a manual forensic examination of the relevant computation apparatus, are necessary. These typically cannot take place in the security event and security information management system itself and sometimes require particular specialist knowledge.
If explicit association of a security-relevant event with a danger category is not possible, categorization of the security events, for example, is generally dispensed with at present, unclassifiable events, also called underreporting, are suppressed or indistinct categorization by a rating system, for example by low, medium or high relevance, is performed. Nonexplicit classification of this kind frequently arises as a result of there not being sufficient information to be able to analyze the security-relevant event more accurately.