IRP2API: Automated Mapping of Cyber Security Incident Response Plan to Security Tools’ APIs

Abstract

Security Operation Center (SOC) uses Incident Response Plan (IRP) to respond to security incidents by orchestrating diverse security tools’ activities in a Security Orchestration, Automation and Response (SOAR) platform. SOC teams manually dig through API documentation of security tools to find the appropriate APIs to define, update and execute an IRP, which hampers effective and efficient incident response. We propose a novel framework, namely IRP2API, for automated mapping of IRP to diverse security tools’ APIs. IRP2API enables SOC teams to effectively and efficiently execute IRP tasks, whilst significantly reducing the required human effort. IRP2API is a unified framework for diverse security tools using an unsupervised transfer learning approach based on API documentation. IRP2API alleviates the requirement of expert knowledge, expensive manually labeled data and access to the code repository. IRP2API achieves suitable semantic coverage by leveraging different semantic variation enrichment methods to deal with the semantic variation of IRP and API data. To demonstrate the real world viability of IRP2API, we experimentally evaluate its effectiveness and efficiency using IRPs of a real world SOAR platform, 6 security tools and 4 transfer learning-based pre-trained embedding approaches. IRP2API achieves 91.1% Top-15 Accuracy and mean reciprocal rank@15 of 57.4 for automated IRP to API mapping, which is 41.6% and 81.6% improved compared to the best results across all non-transfer learning-based baselines. It indicates its effectiveness to support a SOC team. IRP2API requires only 0.8 sec per IRP task to map suitable API that reflects its real world applicability in time-critical SOC.