Automate Cybersecurity Data Triage by Leveraging Human Analysts' Cognitive Process

Chen Zhong, John Yen, Peng Liu, Robert F. Erbacher

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Citations (Scopus)

Abstract

Security Operation Centers rely on data triage to identify the true 'signals' from a large volume of noisy alerts and 'connect the dots' to answer certain higher-level questions about the attack activities. This work aims to automatically generate data triage automatons directly from cybersecurity analysts' operation traces. Existing methods for generating data triage automatons, including Security Information and Event Management systems (SIEMs), require event correlation rules to be generated by dedicated manual effort from expert analysts. To save analysts' workloads, we propose to 'mine' data triage rules out of cybersecurity analysts' operation traces and to use these rules to construct data triage automatons. Our approach may make the cost (of data triage automaton generation) orders of magnitudes smaller. We have designed and implemented the new system and evaluated it through a human-in-the-loop case study. The case study shows that our system can use the analysts' operation traces as input and automatically generate a corresponding state machine for data triage. The operation traces were collected in our previous lab experiment. 29 professional cybersecurity analysts were recruited to analyze a set of IDS alerts and firewall logs. False positive and false negative rates were calculated to evaluate the performance of the data triage state machine by comparing with the ground truth.

Original languageEnglish (US)
Title of host publicationProceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016
EditorsMeikang Qiu
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages357-363
Number of pages7
ISBN (Electronic)9781509024025
DOIs
StatePublished - Jun 30 2016
Event2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016 - New York, United States
Duration: Apr 9 2016Apr 10 2016

Publication series

NameProceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016

Other

Other2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016
CountryUnited States
CityNew York
Period4/9/164/10/16

Fingerprint

Costs
Experiments
Analysts
Cognitive processes
Automata
Firewall
Workload
Event management
Information management
Lab experiment
Management system
Intrusion detection system
Attack

All Science Journal Classification (ASJC) codes

  • Artificial Intelligence
  • Hardware and Architecture
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Information Systems and Management

Cite this

Zhong, C., Yen, J., Liu, P., & Erbacher, R. F. (2016). Automate Cybersecurity Data Triage by Leveraging Human Analysts' Cognitive Process. In M. Qiu (Ed.), Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016 (pp. 357-363). [7502316] (Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/BigDataSecurity-HPSC-IDS.2016.41
Zhong, Chen ; Yen, John ; Liu, Peng ; Erbacher, Robert F. / Automate Cybersecurity Data Triage by Leveraging Human Analysts' Cognitive Process. Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016. editor / Meikang Qiu. Institute of Electrical and Electronics Engineers Inc., 2016. pp. 357-363 (Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016).
@inproceedings{0587921309cc4d598d69477ff7c275ed,
title = "Automate Cybersecurity Data Triage by Leveraging Human Analysts' Cognitive Process",
abstract = "Security Operation Centers rely on data triage to identify the true 'signals' from a large volume of noisy alerts and 'connect the dots' to answer certain higher-level questions about the attack activities. This work aims to automatically generate data triage automatons directly from cybersecurity analysts' operation traces. Existing methods for generating data triage automatons, including Security Information and Event Management systems (SIEMs), require event correlation rules to be generated by dedicated manual effort from expert analysts. To save analysts' workloads, we propose to 'mine' data triage rules out of cybersecurity analysts' operation traces and to use these rules to construct data triage automatons. Our approach may make the cost (of data triage automaton generation) orders of magnitudes smaller. We have designed and implemented the new system and evaluated it through a human-in-the-loop case study. The case study shows that our system can use the analysts' operation traces as input and automatically generate a corresponding state machine for data triage. The operation traces were collected in our previous lab experiment. 29 professional cybersecurity analysts were recruited to analyze a set of IDS alerts and firewall logs. False positive and false negative rates were calculated to evaluate the performance of the data triage state machine by comparing with the ground truth.",
author = "Chen Zhong and John Yen and Peng Liu and Erbacher, {Robert F.}",
year = "2016",
month = "6",
day = "30",
doi = "10.1109/BigDataSecurity-HPSC-IDS.2016.41",
language = "English (US)",
series = "Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "357--363",
editor = "Meikang Qiu",
booktitle = "Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016",
address = "United States",

}

Zhong, C, Yen, J, Liu, P & Erbacher, RF 2016, Automate Cybersecurity Data Triage by Leveraging Human Analysts' Cognitive Process. in M Qiu (ed.), Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016., 7502316, Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016, Institute of Electrical and Electronics Engineers Inc., pp. 357-363, 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016, New York, United States, 4/9/16. https://doi.org/10.1109/BigDataSecurity-HPSC-IDS.2016.41

Automate Cybersecurity Data Triage by Leveraging Human Analysts' Cognitive Process. / Zhong, Chen; Yen, John; Liu, Peng; Erbacher, Robert F.

Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016. ed. / Meikang Qiu. Institute of Electrical and Electronics Engineers Inc., 2016. p. 357-363 7502316 (Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Automate Cybersecurity Data Triage by Leveraging Human Analysts' Cognitive Process

AU - Zhong, Chen

AU - Yen, John

AU - Liu, Peng

AU - Erbacher, Robert F.

PY - 2016/6/30

Y1 - 2016/6/30

N2 - Security Operation Centers rely on data triage to identify the true 'signals' from a large volume of noisy alerts and 'connect the dots' to answer certain higher-level questions about the attack activities. This work aims to automatically generate data triage automatons directly from cybersecurity analysts' operation traces. Existing methods for generating data triage automatons, including Security Information and Event Management systems (SIEMs), require event correlation rules to be generated by dedicated manual effort from expert analysts. To save analysts' workloads, we propose to 'mine' data triage rules out of cybersecurity analysts' operation traces and to use these rules to construct data triage automatons. Our approach may make the cost (of data triage automaton generation) orders of magnitudes smaller. We have designed and implemented the new system and evaluated it through a human-in-the-loop case study. The case study shows that our system can use the analysts' operation traces as input and automatically generate a corresponding state machine for data triage. The operation traces were collected in our previous lab experiment. 29 professional cybersecurity analysts were recruited to analyze a set of IDS alerts and firewall logs. False positive and false negative rates were calculated to evaluate the performance of the data triage state machine by comparing with the ground truth.

AB - Security Operation Centers rely on data triage to identify the true 'signals' from a large volume of noisy alerts and 'connect the dots' to answer certain higher-level questions about the attack activities. This work aims to automatically generate data triage automatons directly from cybersecurity analysts' operation traces. Existing methods for generating data triage automatons, including Security Information and Event Management systems (SIEMs), require event correlation rules to be generated by dedicated manual effort from expert analysts. To save analysts' workloads, we propose to 'mine' data triage rules out of cybersecurity analysts' operation traces and to use these rules to construct data triage automatons. Our approach may make the cost (of data triage automaton generation) orders of magnitudes smaller. We have designed and implemented the new system and evaluated it through a human-in-the-loop case study. The case study shows that our system can use the analysts' operation traces as input and automatically generate a corresponding state machine for data triage. The operation traces were collected in our previous lab experiment. 29 professional cybersecurity analysts were recruited to analyze a set of IDS alerts and firewall logs. False positive and false negative rates were calculated to evaluate the performance of the data triage state machine by comparing with the ground truth.

UR - http://www.scopus.com/inward/record.url?scp=84979730366&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84979730366&partnerID=8YFLogxK

U2 - 10.1109/BigDataSecurity-HPSC-IDS.2016.41

DO - 10.1109/BigDataSecurity-HPSC-IDS.2016.41

M3 - Conference contribution

AN - SCOPUS:84979730366

T3 - Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016

SP - 357

EP - 363

BT - Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016

A2 - Qiu, Meikang

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Zhong C, Yen J, Liu P, Erbacher RF. Automate Cybersecurity Data Triage by Leveraging Human Analysts' Cognitive Process. In Qiu M, editor, Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016. Institute of Electrical and Electronics Engineers Inc. 2016. p. 357-363. 7502316. (Proceedings - 2nd IEEE International Conference on Big Data Security on Cloud, IEEE BigDataSecurity 2016, 2nd IEEE International Conference on High Performance and Smart Computing, IEEE HPSC 2016 and IEEE International Conference on Intelligent Data and Security, IEEE IDS 2016). https://doi.org/10.1109/BigDataSecurity-HPSC-IDS.2016.41