Abstract
An average medium-sized organisation logs approx. 10 to 500 mln events per day on the system. Only less than 5% of threat alerts are being investigated by the specialised staff, leaving the security hole open for potential attacks. Insufficient information in alert message produced in machine-friendly rather than human-friendly format causes cognitive overload on currently limited cybersecurity resources. In this paper, the model that generates the report in natural language by means of applying novel storytelling techniques from security logs is proposed. The solution caters for different levels of reader expertise and preference by providing adjustable templates, filled from both local and global knowledge base. The validation is performed on case study from Security Operations Centre (SOC) at educational institution. The report generated proves superior to existing approach in terms of comprehension (increased cognition) and completeness (enriched context). The evaluation demonstrates power of storytelling in potential threats interpretation in cybersecurity context.
Highlights
INTRODUCTIONGlobal domain knowledge required: The organisation Y with limited number of experienced cyber professionals has to prioritise the crucial alerts over large volume of the remaining security breaches for prompt response
The novelty comes from the human-comprehensible format of the report, which proved successful in various applications, yet it is still underutilised in cybersecurity domain
Structured Threat Information eXpression (STIX) is focused mostly on cyber threat intelligence from a holistic perspective, and Incident Object Description and Exchange Format (IODEF) is concentrated on attackers and defenders information
Summary
Global domain knowledge required: The organisation Y with limited number of experienced cyber professionals has to prioritise the crucial alerts over large volume of the remaining security breaches for prompt response. Knowledge obtained automatically from external sources is required to stay up to date with increasingly sophisticated and dynamically changing cyber attacks Both examples show that comprehensive alert analysis requires domain knowledge from Local and Global. The automatic generation of storytelling reports at multiple levels of details (i.e. for expert and nonexpert) provides a comprehensive view of the cyber situation (i.e. from local and global database) that fills the existing gap in the analysis of security log records. The novelty comes from the human-comprehensible format of the report, which proved successful in various applications (e.g. automatic journalist), yet it is still underutilised in cybersecurity domain
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
