Learning from experts' experience: Toward automated cyber security data triage

Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.