A cyber security data triage operation retrieval system

Chen Zhong, Tao Lin, Peng Liu, John Yen, Kai Chen

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

Data triage is a fundamental stage of cyber defense analysis for achieving cyber situational awareness in a Security Operations Center (SOC). It has a high requirement for cyber security analysts’ capabilities of information processing and expertise in cyber defense. However, the present situation is that most novice analysts who are responsible for performing data triage tasks suffer a great deal from the complexity and intensity of their tasks. To fill the gap, we propose to provide novice analysts with on-the-job suggestions by presenting the relevant data triage operations conducted by senior analysts in previous tasks. In a previous study, a tracing method has been developed to track an analyst's data triage operations. This paper mainly presents a data triage operation retrieval system that (1) models the context of a data triage analytic process, (2) uses a centroid similarity matching method to compare contexts, and (3) presents the matched traces to the novice analysts as suggestions. We have implemented and evaluated the performance of the system through both automated testing and human evaluation. The results show that the proposed retrieval system can effectively identify the relevant traces based on an analyst's current analytic process.

Original languageEnglish (US)
Pages (from-to)12-31
Number of pages20
JournalComputers and Security
Volume76
DOIs
StatePublished - Jul 2018

Fingerprint

data security
Testing
information processing
expertise
present
evaluation
performance

All Science Journal Classification (ASJC) codes

  • Computer Science(all)
  • Law

Cite this

Zhong, Chen ; Lin, Tao ; Liu, Peng ; Yen, John ; Chen, Kai. / A cyber security data triage operation retrieval system. In: Computers and Security. 2018 ; Vol. 76. pp. 12-31.
@article{6ba59c72d610449e8cf6c827686ddab9,
title = "A cyber security data triage operation retrieval system",
abstract = "Data triage is a fundamental stage of cyber defense analysis for achieving cyber situational awareness in a Security Operations Center (SOC). It has a high requirement for cyber security analysts’ capabilities of information processing and expertise in cyber defense. However, the present situation is that most novice analysts who are responsible for performing data triage tasks suffer a great deal from the complexity and intensity of their tasks. To fill the gap, we propose to provide novice analysts with on-the-job suggestions by presenting the relevant data triage operations conducted by senior analysts in previous tasks. In a previous study, a tracing method has been developed to track an analyst's data triage operations. This paper mainly presents a data triage operation retrieval system that (1) models the context of a data triage analytic process, (2) uses a centroid similarity matching method to compare contexts, and (3) presents the matched traces to the novice analysts as suggestions. We have implemented and evaluated the performance of the system through both automated testing and human evaluation. The results show that the proposed retrieval system can effectively identify the relevant traces based on an analyst's current analytic process.",
author = "Chen Zhong and Tao Lin and Peng Liu and John Yen and Kai Chen",
year = "2018",
month = "7",
doi = "10.1016/j.cose.2018.02.011",
language = "English (US)",
volume = "76",
pages = "12--31",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Limited",

}

A cyber security data triage operation retrieval system. / Zhong, Chen; Lin, Tao; Liu, Peng; Yen, John; Chen, Kai.

In: Computers and Security, Vol. 76, 07.2018, p. 12-31.

Research output: Contribution to journalArticle

TY - JOUR

T1 - A cyber security data triage operation retrieval system

AU - Zhong, Chen

AU - Lin, Tao

AU - Liu, Peng

AU - Yen, John

AU - Chen, Kai

PY - 2018/7

Y1 - 2018/7

N2 - Data triage is a fundamental stage of cyber defense analysis for achieving cyber situational awareness in a Security Operations Center (SOC). It has a high requirement for cyber security analysts’ capabilities of information processing and expertise in cyber defense. However, the present situation is that most novice analysts who are responsible for performing data triage tasks suffer a great deal from the complexity and intensity of their tasks. To fill the gap, we propose to provide novice analysts with on-the-job suggestions by presenting the relevant data triage operations conducted by senior analysts in previous tasks. In a previous study, a tracing method has been developed to track an analyst's data triage operations. This paper mainly presents a data triage operation retrieval system that (1) models the context of a data triage analytic process, (2) uses a centroid similarity matching method to compare contexts, and (3) presents the matched traces to the novice analysts as suggestions. We have implemented and evaluated the performance of the system through both automated testing and human evaluation. The results show that the proposed retrieval system can effectively identify the relevant traces based on an analyst's current analytic process.

AB - Data triage is a fundamental stage of cyber defense analysis for achieving cyber situational awareness in a Security Operations Center (SOC). It has a high requirement for cyber security analysts’ capabilities of information processing and expertise in cyber defense. However, the present situation is that most novice analysts who are responsible for performing data triage tasks suffer a great deal from the complexity and intensity of their tasks. To fill the gap, we propose to provide novice analysts with on-the-job suggestions by presenting the relevant data triage operations conducted by senior analysts in previous tasks. In a previous study, a tracing method has been developed to track an analyst's data triage operations. This paper mainly presents a data triage operation retrieval system that (1) models the context of a data triage analytic process, (2) uses a centroid similarity matching method to compare contexts, and (3) presents the matched traces to the novice analysts as suggestions. We have implemented and evaluated the performance of the system through both automated testing and human evaluation. The results show that the proposed retrieval system can effectively identify the relevant traces based on an analyst's current analytic process.

UR - http://www.scopus.com/inward/record.url?scp=85046006241&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85046006241&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2018.02.011

DO - 10.1016/j.cose.2018.02.011

M3 - Article

AN - SCOPUS:85046006241

VL - 76

SP - 12

EP - 31

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

ER -