Towards Human-AI Teaming to Mitigate Alert Fatigue in Security Operations Centres

IF 3.9 3区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

ACM Transactions on Internet Technology Pub Date : 2024-05-30 DOI:10.1145/3670009

Mohan Baruwal Chhetri, Shahroz Tariq, Ronal Singh, Fateneh Jalalvand, Cecile Paris, Surya Nepal

{"title":"Towards Human-AI Teaming to Mitigate Alert Fatigue in Security Operations Centres","authors":"Mohan Baruwal Chhetri, Shahroz Tariq, Ronal Singh, Fateneh Jalalvand, Cecile Paris, Surya Nepal","doi":"10.1145/3670009","DOIUrl":null,"url":null,"abstract":"<p>Security Operations Centres (SOCs) play a pivotal role in defending organisations against evolving cyber threats. They function as central hubs for detecting, analysing, and responding promptly to cyber incidents with the primary objective of ensuring the confidentiality, integrity, and availability of digital assets. However, they struggle against the growing problem of alert fatigue, where the sheer volume of alerts overwhelms SOC analysts and raises the risk of overlooking critical threats. In recent times, there has been a growing call for human-AI teaming, wherein humans and AI collaborate with each other, leveraging their complementary strengths and compensating for their weaknesses. The rapid advances in AI and the growing integration of AI-enabled tools and technologies within SOCs give rise to a compelling argument for the implementation of human-AI teaming within the SOC environment. Therefore, in this position paper, we present our vision for human-AI teaming to address the problem of alert fatigue in SOC. We propose the \\(\\mathcal {A}^2\\mathcal {C} \\) Framework, which enables flexible and dynamic decision-making by allowing seamless transitions between automated, augmented, and collaborative modes of operation. Our framework allows AI-powered automation for routine alerts, AI-driven augmentation for expedited expert decision-making, and collaborative exploration for tackling complex, novel threats. By implementing and operationalising \\(\\mathcal {A}^2\\mathcal {C} \\), SOCs can significantly reduce alert fatigue while empowering analysts to efficiently and effectively respond to security incidents.</p>","PeriodicalId":50911,"journal":{"name":"ACM Transactions on Internet Technology","volume":null,"pages":null},"PeriodicalIF":3.9000,"publicationDate":"2024-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Internet Technology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3670009","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Security Operations Centres (SOCs) play a pivotal role in defending organisations against evolving cyber threats. They function as central hubs for detecting, analysing, and responding promptly to cyber incidents with the primary objective of ensuring the confidentiality, integrity, and availability of digital assets. However, they struggle against the growing problem of alert fatigue, where the sheer volume of alerts overwhelms SOC analysts and raises the risk of overlooking critical threats. In recent times, there has been a growing call for human-AI teaming, wherein humans and AI collaborate with each other, leveraging their complementary strengths and compensating for their weaknesses. The rapid advances in AI and the growing integration of AI-enabled tools and technologies within SOCs give rise to a compelling argument for the implementation of human-AI teaming within the SOC environment. Therefore, in this position paper, we present our vision for human-AI teaming to address the problem of alert fatigue in SOC. We propose the \(\mathcal {A}^2\mathcal {C} \) Framework, which enables flexible and dynamic decision-making by allowing seamless transitions between automated, augmented, and collaborative modes of operation. Our framework allows AI-powered automation for routine alerts, AI-driven augmentation for expedited expert decision-making, and collaborative exploration for tackling complex, novel threats. By implementing and operationalising \(\mathcal {A}^2\mathcal {C} \), SOCs can significantly reduce alert fatigue while empowering analysts to efficiently and effectively respond to security incidents.

查看原文本刊更多论文

实现人机交互，减轻安全运营中心的警报疲劳

安全运营中心（SOC）在组织抵御不断变化的网络威胁方面发挥着举足轻重的作用。它们是检测、分析和及时应对网络事件的中心枢纽，主要目标是确保数字资产的保密性、完整性和可用性。然而，它们却在与日益严重的警报疲劳问题作斗争，大量的警报让 SOC 分析师应接不暇，并增加了忽视关键威胁的风险。近来，人类与人工智能合作的呼声越来越高，在这种合作中，人类与人工智能相互协作，取长补短。人工智能的飞速发展以及 SOC 中人工智能工具和技术的日益集成，为在 SOC 环境中实施人类与人工智能的协同合作提供了有力的论据。因此，在本立场文件中，我们提出了人类-人工智能团队合作的愿景，以解决 SOC 中的警报疲劳问题。我们提出了\(\mathcal {A}^2\mathcal {C} \)框架，该框架允许在自动化、增强型和协作型操作模式之间无缝转换，从而实现灵活、动态的决策。我们的框架允许人工智能驱动的自动化处理常规警报，允许人工智能驱动的增强处理加速专家决策，允许协作探索处理复杂的新型威胁。通过实施和操作 \(\mathcal {A}^2\mathcal {C} \)，SOC 可以显著减少警报疲劳，同时使分析人员能够高效、有效地应对安全事件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Internet Technology 工程技术-计算机：软件工程

CiteScore

10.30

自引率

1.90%

发文量

137

审稿时长

>12 weeks

期刊介绍： ACM Transactions on Internet Technology (TOIT) brings together many computing disciplines including computer software engineering, computer programming languages, middleware, database management, security, knowledge discovery and data mining, networking and distributed systems, communications, performance and scalability etc. TOIT will cover the results and roles of the individual disciplines and the relationshipsamong them.