Abstract
A Cyber Security Operations Center (CSOC) is responsible for investigating all the alerts generated from the intrusion detection systems to identify suspicious activities in a timely manner. There exists a critical gap between the time needed (demand) and the time available (limited analyst resource) for alert investigation at a CSOC. Hence, alert prioritization is important, for which CSOCs employ ad-hoc filtering methods to prune and triage the alerts that are presented to the analysts for investigation. One of the major drawbacks of the ad-hoc methods is that they do not comprehensively take into consideration the organization-specific factors such as mission and asset criticality, CSOC resource availability, demand variations, and the desired CSOC performance metrics. Hence, an ad-hoc triaging (or prioritization) method is insufficient, and an intelligent method for optimal selection of alerts that considers the above-mentioned organization-specific factors must be developed, which is described as a two-step process in this paper. First, a composite risk score of each alert is determined using a quantitative value function hierarchy process, which takes into account several organization-specific factors. Second, an optimization model selects a list of alerts for investigation that optimizes the CSOC performance metrics for a given demand subject to its resource constraints. Experimental results show that the alerts that pertain to mission criticalities are handled in a timelier manner as compared to current practices at the CSOCs. The average persistence time of an alert in the CSOC system is also shown to significantly reduce with this new approach, which is a paradigm shift in providing a stronger cyber-defense system by protecting the critical constituents of an organization.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
More From: IEEE Transactions on Information Forensics and Security
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.