A Deep Neural Network Approach to Tracing Paths in Cybersecurity Investigations

Abstract

Security Analysts (SAs) operating within Security Operation Centers (SOCs) conduct cybersecurity investigations on cyber events using methods which pave a measurable path. These paths serve as a source of evidence to study the transitions of the cognitive tasks performed by the SA throughout the investigation. Insight into these paths can support the observation and understanding of how to evaluate and measure the critical decisions made during an investigation such as when a SA transitions from analyzing event logs to observing threat intelligence. We propose a framework we call the Cyber Analysis Transition Framework which applies a quantitative approach for evaluating and measuring the transitions of the SA conducting cyber analysis methods. The novel approach for this framework includes the application of process mining and deep neural network output as a means for evaluating and measuring a SA's performance while conducting cybersecurity investigations.