Abstract
The ever-increasing amount of major security incidents has led to an emerging interest in cooperative approaches to encounter cyber threats. To enable cooperation in detecting and preventing attacks it is an inevitable necessity to have structured and standardized formats to describe an incident. Corresponding formats are complex and of an extensive nature as they are often designed for automated processing and exchange. These characteristics hamper the readability and, therefore, prevent humans from understanding the documented incident. This is a major problem since the success and effectiveness of any security measure rely heavily on the contribution of security experts.To meet these shortcomings we propose a visual analytics concept enabling security experts to analyze and enrich semi-structured cyber threat intelligence information. Our approach combines an innovative way of persisting this data with an interactive visualization component to analyze and edit the threat information. We demonstrate the feasibility of our concept using the Structured Threat Information eXpression, the state-of-the-art format for reporting cyber security issues.
Highlights
Over the last years the number of IT security incidents has been constantly increasing among companies
The interviews lasted between 45 to 70 min, which was mainly due to the summarizing discussion, where the experts brought up a lot of interesting points reaching from possible improvements of Structured threat information eXpression (STIX) itself to functionality features of KAVAS necessary for operative deployment in an organization
In this work we presented KAVAS, a concept for interactive visual analytics of threat intelligence information
Summary
Over the last years the number of IT security incidents has been constantly increasing among companies. STIX 2, in contrast, is not bound to a specific use case and provides a comprehensive tool set for the representation of various information about incidents As it is the format with the broadest possibilities in application (Menges and Pernul 2018), we focus our work on STIX 2 as the most recent version of STIX. This choice is further substantiated by STIX being the de-facto standard format for the exchange of threat intelligence information at present, which can be anticipated for its successor STIX 2 in the near future (Shackleford 2015; Sauerwein et al 2017) It provides the most extensive data structures among the available formats as shown by Asgarli et al (Asgarli and Burger 2016) as well as by Menges and Pernul (Menges and Pernul 2018). STIX 2 provides highly flexible data structures allowing interactions of domain experts with very few limitations
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call