Improving Cybersecurity Incident Analysis Workflow with Analytical Provenance

2022 26th International Conference Information Visualisation (IV) Pub Date : 2022-07-01 DOI:10.1109/IV56949.2022.00058

Vít Rusňák, L. Janečková, Filip Drgon, Anna-Marie Dombajova, Veronika Kudelkova

{"title":"Improving Cybersecurity Incident Analysis Workflow with Analytical Provenance","authors":"Vít Rusňák, L. Janečková, Filip Drgon, Anna-Marie Dombajova, Veronika Kudelkova","doi":"10.1109/IV56949.2022.00058","DOIUrl":null,"url":null,"abstract":"Cybersecurity incident analysis is an exploratory, data-driven process over records and logs from network monitoring tools. The process is rarely linear and frequently breaks down into multiple investigation branches. Analysts document all the steps and lessons learned and suggest mitigations. However, current tools provide only limited support for analytical provenance. As a result, analysts have to record all the details regarding the performed steps and notes in separate documents. Such a procedure increases their cognitive demands and is naturally error-prone. This paper proposes a conceptual design of the analytical tool implementing means of analytical provenance in cybersecurity incident analysis workflows. We identified the user requirements and designed and implemented a proof of concept prototype application Incident Analyzer. Qualitative feedback from four domain experts confirmed that our approach is promising and can significantly improve current cybersecurity and network incident analysis practices.","PeriodicalId":153161,"journal":{"name":"2022 26th International Conference Information Visualisation (IV)","volume":"144 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 26th International Conference Information Visualisation (IV)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IV56949.2022.00058","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Cybersecurity incident analysis is an exploratory, data-driven process over records and logs from network monitoring tools. The process is rarely linear and frequently breaks down into multiple investigation branches. Analysts document all the steps and lessons learned and suggest mitigations. However, current tools provide only limited support for analytical provenance. As a result, analysts have to record all the details regarding the performed steps and notes in separate documents. Such a procedure increases their cognitive demands and is naturally error-prone. This paper proposes a conceptual design of the analytical tool implementing means of analytical provenance in cybersecurity incident analysis workflows. We identified the user requirements and designed and implemented a proof of concept prototype application Incident Analyzer. Qualitative feedback from four domain experts confirmed that our approach is promising and can significantly improve current cybersecurity and network incident analysis practices.

查看原文本刊更多论文

利用分析来源改进网络安全事件分析工作流程

网络安全事件分析是对来自网络监控工具的记录和日志进行探索性、数据驱动的过程。这个过程很少是线性的，经常分解成多个调查分支。分析人员记录了所有的步骤和经验教训，并提出了缓解措施。然而，目前的工具只提供有限的分析来源支持。因此，分析人员必须在单独的文档中记录有关执行步骤和注释的所有细节。这样的过程增加了他们的认知需求，自然容易出错。本文提出了一种分析工具的概念设计，在网络安全事件分析工作流中实现分析来源的方法。我们确定了用户需求，设计并实现了一个概念验证原型应用程序Incident Analyzer。来自四位领域专家的定性反馈证实，我们的方法很有前途，可以显著改善当前的网络安全和网络事件分析实践。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 26th International Conference Information Visualisation (IV)

自引率

0.00%

发文量