TY - JOUR
T1 - Learning from experts' experience
T2 - Toward automated cyber security data triage
AU - Zhong, Chen
AU - Yen, John
AU - Liu, Peng
AU - Erbacher, Robert F.
N1 - Funding Information:
Manuscript received August 29, 2017; revised March 10, 2018; accepted April 14, 2018. Date of publication May 18, 2018; date of current version February 22, 2019. This work was supported by ARO W911NF-15-1-0576, ARO W911NF-13-1-0421 (MURI), and NSF CNS-1422594. The work of C. Zhong was supported by IUK Grant-in Aid of Faculty Research and Summer Faculty Fellowship. (Corresponding author: Chen Zhong.) C. Zhong is with the Indiana University Kokomo, Kokomo, IN 46902 USA (e-mail:,chzhong@iuk.edu).
Publisher Copyright:
© 2018 IEEE
PY - 2019/3
Y1 - 2019/3
N2 - Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.
AB - Security operations centers (SOCs) employ various cyber defend measures to monitor network events. Apart from these measures, SOCs also have to resort to human analysts to make sense of the collected data for incident detection and response. However, with the oncoming network data collected and accumulated at a rapid speed, analysts are usually overwhelmed by tedious and repeated data triage tasks so that they can hardly concentrate on in-depth analysis to create timely and quality incident reports. This paper aims to reduce the analysts' workloads by developing data triage automatons. We have developed a computer-aided tracing method for capturing analysts' operations while they are performing a task. This paper proposes a graph-based trace mining approach for constructing useful patterns for data triage from the operation traces. Finite state machines can be constructed based on the rules to automate data triage. A human-in-the-loop case study is conducted to evaluate our approach, in which 30 professional analysts were recruited and asked to complete a cyber-analysis task with their operations being traced. State machines were constructed based on the traces and then the effectiveness of developing state machines and the performance of state machines are evaluated. The result shows that it is feasible to conduct automated data triage by leveraging analysts' traces. The state machines are able to complete processing a large amount of data within minutes. Comparing the performance of automated data triage with the ground truth, we found that a satisfactory false positive rate can be achieved.
UR - http://www.scopus.com/inward/record.url?scp=85047182175&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85047182175&partnerID=8YFLogxK
U2 - 10.1109/JSYST.2018.2828832
DO - 10.1109/JSYST.2018.2828832
M3 - Article
AN - SCOPUS:85047182175
VL - 13
SP - 603
EP - 614
JO - IEEE Systems Journal
JF - IEEE Systems Journal
SN - 1932-8184
IS - 1
M1 - 8360965
ER -