TY - GEN
T1 - Automate Cybersecurity Data Triage by Leveraging Human Analysts' Cognitive Process
AU - Zhong, Chen
AU - Yen, John
AU - Liu, Peng
AU - Erbacher, Robert F.
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2016/6/30
Y1 - 2016/6/30
N2 - Security Operation Centers rely on data triage to identify the true 'signals' from a large volume of noisy alerts and 'connect the dots' to answer certain higher-level questions about the attack activities. This work aims to automatically generate data triage automatons directly from cybersecurity analysts' operation traces. Existing methods for generating data triage automatons, including Security Information and Event Management systems (SIEMs), require event correlation rules to be generated by dedicated manual effort from expert analysts. To save analysts' workloads, we propose to 'mine' data triage rules out of cybersecurity analysts' operation traces and to use these rules to construct data triage automatons. Our approach may make the cost (of data triage automaton generation) orders of magnitudes smaller. We have designed and implemented the new system and evaluated it through a human-in-the-loop case study. The case study shows that our system can use the analysts' operation traces as input and automatically generate a corresponding state machine for data triage. The operation traces were collected in our previous lab experiment. 29 professional cybersecurity analysts were recruited to analyze a set of IDS alerts and firewall logs. False positive and false negative rates were calculated to evaluate the performance of the data triage state machine by comparing with the ground truth.
AB - Security Operation Centers rely on data triage to identify the true 'signals' from a large volume of noisy alerts and 'connect the dots' to answer certain higher-level questions about the attack activities. This work aims to automatically generate data triage automatons directly from cybersecurity analysts' operation traces. Existing methods for generating data triage automatons, including Security Information and Event Management systems (SIEMs), require event correlation rules to be generated by dedicated manual effort from expert analysts. To save analysts' workloads, we propose to 'mine' data triage rules out of cybersecurity analysts' operation traces and to use these rules to construct data triage automatons. Our approach may make the cost (of data triage automaton generation) orders of magnitudes smaller. We have designed and implemented the new system and evaluated it through a human-in-the-loop case study. The case study shows that our system can use the analysts' operation traces as input and automatically generate a corresponding state machine for data triage. The operation traces were collected in our previous lab experiment. 29 professional cybersecurity analysts were recruited to analyze a set of IDS alerts and firewall logs. False positive and false negative rates were calculated to evaluate the performance of the data triage state machine by comparing with the ground truth.
UR - http://www.scopus.com/inward/record.url?scp=84979730366&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84979730366&partnerID=8YFLogxK
U2 - 10.1109/BigDataSecurity-HPSC-IDS.2016.41
DO - 10.1109/BigDataSecurity-HPSC-IDS.2016.41
M3 - Conference contribution
AN - SCOPUS:84979730366
T3 - Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016
SP - 357
EP - 363
BT - Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016
A2 - Qiu, Meikang
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016
Y2 - 9 April 2016 through 10 April 2016
ER -