Inferring security incidents from observational data

What is claimed is: 1 . A computing device, comprising: one or more processors; and one or more memory devices that store executable computer program logic for execution by the one or more processors, the executable computer program logic comprising: an alert association determiner configured to receive alerts generated with respect to a set of entities by a first alert generator, and calculate association scores for pairs of the alerts; a community identifier configured to cluster the alerts into clusters based on the association scores; and a security incident model generator configured to form a security incident model, based on the clusters, that defines sequences of alerts corresponding to security incidents. 2 . The computing device of claim 1 , wherein the alert association determiner is configured to: generate an alert association graph indicating the alerts as nodes and the association scores as edges between corresponding pairs of alerts; and filter the alert association graph by removing edges between corresponding pairs of alerts from the alert association graph having co-occurrence scores below a first threshold; and wherein the community identifier is configured to cluster the alerts into the clusters based on the filtered alert association graph. 3 . The computing device of claim 2 , wherein the alert association determiner, to filter the alert association graph, is further configured to: unite first and second nodes in the alert association graph if an edge between the first and second nodes has a co-occurrence score above a second threshold. 4 . The computing device of claim 1 , wherein the security incident model generator is configured to, for each cluster of the clusters, determine dependencies between alerts of the cluster, and orient the alerts of the cluster based on the dependencies to generate a model portion corresponding to the cluster; and wherein the security incident model generator is further configured to aggregate the model portions to form the security incident model. 5 . The computing device of claim 4 , wherein the security incident model generator is configured to: determine the dependency between alerts of a cluster based on a conditional independence property. 6 . The computing device of claim 4 , wherein the security incident model generator, to orient the alerts of the cluster, is configured to: orient the alerts of the cluster based on at least one of kill-chain position information, temporal relation information between alerts, or a collider. 7 . The computing device of claim 1 , further comprising an alert incident identifier configured to: receive a set of additional alerts from a second alert generator; determine a match between the additional alerts and a sequence of alerts in the security incident model; identify the additional alerts as a security incident corresponding to the sequence of alerts in the security incident model; and provide a notification of the security incident to the second alert generator. 8 . A method, comprising: receiving alerts generated with respect to a set of entities by a first alert generator; calculating association scores for pairs of the alerts; clustering the alerts into clusters based on the association scores; and forming a security incident model, based on the clusters, that defines sequences of alerts corresponding to security incidents. 9 . The method of claim 8 , further comprising: generating an alert association graph indicating the alerts as nodes and the association scores as edges between corresponding pairs alerts; filtering the alert association graph by removing edges between corresponding pairs of alerts from the alert association graph having co-occurrence scores below a first threshold; and clustering the alerts into the clusters based on the filtered alert association graph. 10 . The method of claim 9 , further comprising: uniting first and second nodes in the alert association graph if an edge between the first and second nodes has a co-occurrence score above a second threshold. 11 . The method of claim 8 , further comprising: for each cluster of the clusters, determining dependencies between alerts of the cluster, and orienting the alerts of the cluster based on the dependencies to generate a model portion corresponding to the cluster; and aggregating the model portions to form the security incident model. 12 . The method of claim 11 , further comprising: determining the dependency between alerts of a cluster based on a conditional independence property. 13 . The method of claim 11 , wherein orienting the alerts of the cluster comprises orienting the alerts of the cluster based on at least one of kill-chain position information, temporal relation information between alerts, or a collider. 14 . The method of claim 8 , further comprising: receiving a set of additional alerts from a second alert generator; determining a match between the additional alerts and a sequence of alerts in the security incident model; identifying the additional alerts as a security incident corresponding to the sequence of alerts in the security incident model; and providing a notification of the security incident to the second alert generator. 15 . A computer-readable storage medium having program instructions recorded thereon that, when executed by at least one processing circuit of a computing device, perform a method, comprising: receiving alerts generated with respect to a set of entities by a first alert generator; calculating association scores for pairs of the alerts; clustering the alerts into clusters based on the association scores; and forming a security incident model, based on the clusters, that defines sequences of alerts corresponding to security incidents. 16 . The computer-readable storage medium of claim 15 , wherein the method further comprises: generating an alert association graph indicating the alerts as nodes and the association scores as edges between corresponding pairs alerts; filtering the alert association graph by removing edges between corresponding pairs of alerts from the alert association graph having co-occurrence scores below a first threshold; and clustering the alerts into the clusters based on the filtered alert association graph. 17 . The computer-readable storage medium of claim 15 , further comprising: for each cluster of the clusters, determining dependencies between alerts of the cluster, and orienting the alerts of the cluster based on the dependencies to generate a model portion corresponding to the cluster; and aggregating the model portions to form the security incident model. 18 . The computer-readable storage medium of claim 17 , further comprising: determining the dependency between alerts of a cluster based on a conditional independence property. 19 . The computer-readable storage medium of claim 17 , wherein orienting the alerts of the cluster comprises orienting the alerts of the cluster based on at least one of kill-chain position information, temporal relation information between alerts, or a collider. 20 . The computer-readable storage medium of claim 15 , further comprising: receiving a set of additional alerts from a second alert generator; determining a match between the additional alerts and a sequence of alerts in the security incident model; identifying the additional alerts as a security incident corresponding to the sequence of alerts in th