Fatemeh Jalalvand, Mohan Baruwal Chhetri, Surya Nepal, Cecile Paris
{"title":"Alert Prioritisation in Security Operations Centres: A Systematic Survey on Criteria and Methods","authors":"Fatemeh Jalalvand, Mohan Baruwal Chhetri, Surya Nepal, Cecile Paris","doi":"10.1145/3695462","DOIUrl":null,"url":null,"abstract":"Security Operations Centres (SOCs) are specialised facilities where security analysts leverage advanced technologies to monitor, detect, and respond to cyber incidents. However, the increasing volume of security incidents has overwhelmed security analysts, leading to alert fatigue. Effective alert prioritisation (AP) becomes crucial to address this problem through the utilisation of proper criteria and methods. Human-AI teaming (HAT) has the potential to significantly enhance AP by combining the complementary strengths of humans and AI. AI excels in processing large volumes of alert data, identifying anomalies, uncovering hidden patterns, and prioritising alerts at scale, all at machine speed. Human analysts can leverage their expertise to investigate prioritised alerts, re-prioritise them based on additional context, and provide valuable feedback to the AI system, reducing false positives and ensuring critical alerts are prioritised. This work provides a comprehensive review of the criteria and methods for AP in SOC. We analyse the advantages and disadvantages of the different categories of AP criteria and methods based on HAT, specifically considering automation, augmentation, and collaboration. We also identify several areas for future research. We anticipate that our findings will contribute to the advancement of AP techniques, fostering more effective security incident response in SOCs.","PeriodicalId":50926,"journal":{"name":"ACM Computing Surveys","volume":"68 1","pages":""},"PeriodicalIF":23.8000,"publicationDate":"2024-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Computing Surveys","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3695462","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
引用次数: 0
Abstract
Security Operations Centres (SOCs) are specialised facilities where security analysts leverage advanced technologies to monitor, detect, and respond to cyber incidents. However, the increasing volume of security incidents has overwhelmed security analysts, leading to alert fatigue. Effective alert prioritisation (AP) becomes crucial to address this problem through the utilisation of proper criteria and methods. Human-AI teaming (HAT) has the potential to significantly enhance AP by combining the complementary strengths of humans and AI. AI excels in processing large volumes of alert data, identifying anomalies, uncovering hidden patterns, and prioritising alerts at scale, all at machine speed. Human analysts can leverage their expertise to investigate prioritised alerts, re-prioritise them based on additional context, and provide valuable feedback to the AI system, reducing false positives and ensuring critical alerts are prioritised. This work provides a comprehensive review of the criteria and methods for AP in SOC. We analyse the advantages and disadvantages of the different categories of AP criteria and methods based on HAT, specifically considering automation, augmentation, and collaboration. We also identify several areas for future research. We anticipate that our findings will contribute to the advancement of AP techniques, fostering more effective security incident response in SOCs.
安全运营中心(SOC)是安全分析人员利用先进技术监控、检测和应对网络事件的专业设施。然而,不断增加的安全事件使安全分析人员应接不暇,导致警报疲劳。通过利用适当的标准和方法,有效的警报优先级排序(AP)成为解决这一问题的关键。人类-人工智能团队(HAT)通过结合人类和人工智能的互补优势,有可能显著提高警报优先级。人工智能擅长以机器速度处理大量警报数据、识别异常情况、揭示隐藏模式并对大规模警报进行优先排序。人类分析师可以利用他们的专业知识来调查已确定优先级的警报,根据额外的上下文重新确定警报的优先级,并向人工智能系统提供有价值的反馈,从而减少误报并确保关键警报得到优先处理。这项工作全面回顾了 SOC 中 AP 的标准和方法。我们分析了基于 HAT 的不同类别 AP 标准和方法的优缺点,特别考虑了自动化、增强和协作。我们还确定了未来研究的几个领域。我们预计,我们的研究结果将有助于提高 AP 技术,促进 SOC 中更有效的安全事件响应。
期刊介绍:
ACM Computing Surveys is an academic journal that focuses on publishing surveys and tutorials on various areas of computing research and practice. The journal aims to provide comprehensive and easily understandable articles that guide readers through the literature and help them understand topics outside their specialties. In terms of impact, CSUR has a high reputation with a 2022 Impact Factor of 16.6. It is ranked 3rd out of 111 journals in the field of Computer Science Theory & Methods.
ACM Computing Surveys is indexed and abstracted in various services, including AI2 Semantic Scholar, Baidu, Clarivate/ISI: JCR, CNKI, DeepDyve, DTU, EBSCO: EDS/HOST, and IET Inspec, among others.