Learning from experts' experience: Toward automated cyber security data triage

Chen Zhong; John Yen; Peng Liu; Robert F. Erbacher

doi:10.1109/JSYST.2018.2828832

Learning from experts' experience: Toward automated cyber security data triage

Chen Zhong, John Yen, Peng Liu, Robert F. Erbacher

Research output: Contribution to journal › Article

Abstract

Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.

Original language	English (US)
Article number	8360965
Pages (from-to)	603-614
Number of pages	12
Journal	IEEE Systems Journal
Volume	13
Issue number	1
DOIs	https://doi.org/10.1109/JSYST.2018.2828832
State	Published - Mar 2019

Fingerprint

Finite automata

Processing

All Science Journal Classification (ASJC) codes

Control and Systems Engineering
Information Systems
Computer Science Applications
Computer Networks and Communications
Electrical and Electronic Engineering

Cite this

Zhong, C., Yen, J., Liu, P., & Erbacher, R. F. (2019). Learning from experts' experience: Toward automated cyber security data triage. IEEE Systems Journal, 13(1), 603-614. [8360965]. https://doi.org/10.1109/JSYST.2018.2828832

Zhong, Chen ; Yen, John ; Liu, Peng ; Erbacher, Robert F. / Learning from experts' experience : Toward automated cyber security data triage. In: IEEE Systems Journal. 2019 ; Vol. 13, No. 1. pp. 603-614.

@article{d5053b06a6054016b1f72a4f1de67ab7,

title = "Learning from experts' experience: Toward automated cyber security data triage",

abstract = "Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.",

author = "Chen Zhong and John Yen and Peng Liu and Erbacher, {Robert F.}",

year = "2019",

month = "3",

doi = "10.1109/JSYST.2018.2828832",

language = "English (US)",

volume = "13",

pages = "603--614",

journal = "IEEE Systems Journal",

issn = "1932-8184",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "1",

}

Zhong, C, Yen, J , Liu, P & Erbacher, RF 2019, 'Learning from experts' experience: Toward automated cyber security data triage', IEEE Systems Journal, vol. 13, no. 1, 8360965, pp. 603-614. https://doi.org/10.1109/JSYST.2018.2828832

Learning from experts' experience : Toward automated cyber security data triage. / Zhong, Chen; Yen, John ; Liu, Peng; Erbacher, Robert F.

In: IEEE Systems Journal, Vol. 13, No. 1, 8360965, 03.2019, p. 603-614.

Research output: Contribution to journal › Article

TY - JOUR

T1 - Learning from experts' experience

T2 - Toward automated cyber security data triage

AU - Zhong, Chen

AU - Yen, John

AU - Liu, Peng

AU - Erbacher, Robert F.

PY - 2019/3

Y1 - 2019/3

N2 - Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.

AB - Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.

UR - http://www.scopus.com/inward/record.url?scp=85047182175&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85047182175&partnerID=8YFLogxK

U2 - 10.1109/JSYST.2018.2828832

DO - 10.1109/JSYST.2018.2828832

M3 - Article

AN - SCOPUS:85047182175

VL - 13

SP - 603

EP - 614

JO - IEEE Systems Journal

JF - IEEE Systems Journal

SN - 1932-8184

IS - 1

M1 - 8360965

ER -

Zhong C, Yen J , Liu P, Erbacher RF. Learning from experts' experience: Toward automated cyber security data triage. IEEE Systems Journal. 2019 Mar;13(1):603-614. 8360965. https://doi.org/10.1109/JSYST.2018.2828832

Access to Document

10.1109/JSYST.2018.2828832