Learning from experts' experience

Toward automated cyber security data triage

Chen Zhong, John Yen, Peng Liu, Robert F. Erbacher

Research output: Contribution to journalArticle

Abstract

Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.

Original languageEnglish (US)
Article number8360965
Pages (from-to)603-614
Number of pages12
JournalIEEE Systems Journal
Volume13
Issue number1
DOIs
StatePublished - Mar 1 2019

Fingerprint

Finite automata
Processing

All Science Journal Classification (ASJC) codes

  • Control and Systems Engineering
  • Electrical and Electronic Engineering

Cite this

@article{d5053b06a6054016b1f72a4f1de67ab7,
title = "Learning from experts' experience: Toward automated cyber security data triage",
abstract = "Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.",
author = "Chen Zhong and John Yen and Peng Liu and Erbacher, {Robert F.}",
year = "2019",
month = "3",
day = "1",
doi = "10.1109/JSYST.2018.2828832",
language = "English (US)",
volume = "13",
pages = "603--614",
journal = "IEEE Systems Journal",
issn = "1932-8184",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "1",

}

Learning from experts' experience : Toward automated cyber security data triage. / Zhong, Chen; Yen, John; Liu, Peng; Erbacher, Robert F.

In: IEEE Systems Journal, Vol. 13, No. 1, 8360965, 01.03.2019, p. 603-614.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Learning from experts' experience

T2 - Toward automated cyber security data triage

AU - Zhong, Chen

AU - Yen, John

AU - Liu, Peng

AU - Erbacher, Robert F.

PY - 2019/3/1

Y1 - 2019/3/1

N2 - Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.

AB - Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.

UR - http://www.scopus.com/inward/record.url?scp=85047182175&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85047182175&partnerID=8YFLogxK

U2 - 10.1109/JSYST.2018.2828832

DO - 10.1109/JSYST.2018.2828832

M3 - Article

VL - 13

SP - 603

EP - 614

JO - IEEE Systems Journal

JF - IEEE Systems Journal

SN - 1932-8184

IS - 1

M1 - 8360965

ER -