Abstract
Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.
| Original language | English (US) |
|---|---|
| Article number | 8360965 |
| Pages (from-to) | 603-614 |
| Number of pages | 12 |
| Journal | IEEE Systems Journal |
| Volume | 13 |
| Issue number | 1 |
| DOIs | |
| State | Published - Mar 1 2019 |
Fingerprint
All Science Journal Classification (ASJC) codes
- Control and Systems Engineering
- Electrical and Electronic Engineering
Cite this
}
Learning from experts' experience : Toward automated cyber security data triage. / Zhong, Chen; Yen, John; Liu, Peng; Erbacher, Robert F.
In: IEEE Systems Journal, Vol. 13, No. 1, 8360965, 01.03.2019, p. 603-614.Research output: Contribution to journal › Article
TY - JOUR
T1 - Learning from experts' experience
T2 - Toward automated cyber security data triage
AU - Zhong, Chen
AU - Yen, John
AU - Liu, Peng
AU - Erbacher, Robert F.
PY - 2019/3/1
Y1 - 2019/3/1
N2 - Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.
AB - Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.
UR - http://www.scopus.com/inward/record.url?scp=85047182175&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85047182175&partnerID=8YFLogxK
U2 - 10.1109/JSYST.2018.2828832
DO - 10.1109/JSYST.2018.2828832
M3 - Article
VL - 13
SP - 603
EP - 614
JO - IEEE Systems Journal
JF - IEEE Systems Journal
SN - 1932-8184
IS - 1
M1 - 8360965
ER -