Automate Cybersecurity Data Triage by Leveraging Human Analysts' Cognitive Process

Chen Zhong, John Yen, Peng Liu, Robert F. Erbacher

Research output: Chapter in Book/Report/Conference proceedingConference contribution

36 Scopus citations

Abstract

Security Operation Centers rely on data triage to identify the true 'signals' from a large volume of noisy alerts and 'connect the dots' to answer certain higher-level questions about the attack activities. This work aims to automatically generate data triage automatons directly from cybersecurity analysts' operation traces. Existing methods for generating data triage automatons, including Security Information and Event Management systems (SIEMs), require event correlation rules to be generated by dedicated manual effort from expert analysts. To save analysts' workloads, we propose to 'mine' data triage rules out of cybersecurity analysts' operation traces and to use these rules to construct data triage automatons. Our approach may make the cost (of data triage automaton generation) orders of magnitudes smaller. We have designed and implemented the new system and evaluated it through a human-in-the-loop case study. The case study shows that our system can use the analysts' operation traces as input and automatically generate a corresponding state machine for data triage. The operation traces were collected in our previous lab experiment. 29 professional cybersecurity analysts were recruited to analyze a set of IDS alerts and firewall logs. False positive and false negative rates were calculated to evaluate the performance of the data triage state machine by comparing with the ground truth.

Original languageEnglish (US)
Title of host publicationProceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016
EditorsMeikang Qiu
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages357-363
Number of pages7
ISBN (Electronic)9781509024025
DOIs
StatePublished - Jun 30 2016
Event2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016 - New York, United States
Duration: Apr 9 2016Apr 10 2016

Publication series

NameProceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016

Other

Other2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016
Country/TerritoryUnited States
CityNew York
Period4/9/164/10/16

All Science Journal Classification (ASJC) codes

  • Artificial Intelligence
  • Hardware and Architecture
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Information Systems and Management

Fingerprint

Dive into the research topics of 'Automate Cybersecurity Data Triage by Leveraging Human Analysts' Cognitive Process'. Together they form a unique fingerprint.

Cite this