安全行动中心的警报优先级：关于标准和方法的系统调查

IF 23.8 1区计算机科学 Q1 COMPUTER SCIENCE, THEORY & METHODS

ACM Computing Surveys Pub Date : 2024-09-14 DOI:10.1145/3695462

Fatemeh Jalalvand, Mohan Baruwal Chhetri, Surya Nepal, Cecile Paris

{"title":"安全行动中心的警报优先级：关于标准和方法的系统调查","authors":"Fatemeh Jalalvand, Mohan Baruwal Chhetri, Surya Nepal, Cecile Paris","doi":"10.1145/3695462","DOIUrl":null,"url":null,"abstract":"Security Operations Centres (SOCs) are specialised facilities where security analysts leverage advanced technologies to monitor, detect, and respond to cyber incidents. However, the increasing volume of security incidents has overwhelmed security analysts, leading to alert fatigue. Effective alert prioritisation (AP) becomes crucial to address this problem through the utilisation of proper criteria and methods. Human-AI teaming (HAT) has the potential to significantly enhance AP by combining the complementary strengths of humans and AI. AI excels in processing large volumes of alert data, identifying anomalies, uncovering hidden patterns, and prioritising alerts at scale, all at machine speed. Human analysts can leverage their expertise to investigate prioritised alerts, re-prioritise them based on additional context, and provide valuable feedback to the AI system, reducing false positives and ensuring critical alerts are prioritised. This work provides a comprehensive review of the criteria and methods for AP in SOC. We analyse the advantages and disadvantages of the different categories of AP criteria and methods based on HAT, specifically considering automation, augmentation, and collaboration. We also identify several areas for future research. We anticipate that our findings will contribute to the advancement of AP techniques, fostering more effective security incident response in SOCs.","PeriodicalId":50926,"journal":{"name":"ACM Computing Surveys","volume":null,"pages":null},"PeriodicalIF":23.8000,"publicationDate":"2024-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Alert Prioritisation in Security Operations Centres: A Systematic Survey on Criteria and Methods\",\"authors\":\"Fatemeh Jalalvand, Mohan Baruwal Chhetri, Surya Nepal, Cecile Paris\",\"doi\":\"10.1145/3695462\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Security Operations Centres (SOCs) are specialised facilities where security analysts leverage advanced technologies to monitor, detect, and respond to cyber incidents. However, the increasing volume of security incidents has overwhelmed security analysts, leading to alert fatigue. Effective alert prioritisation (AP) becomes crucial to address this problem through the utilisation of proper criteria and methods. Human-AI teaming (HAT) has the potential to significantly enhance AP by combining the complementary strengths of humans and AI. AI excels in processing large volumes of alert data, identifying anomalies, uncovering hidden patterns, and prioritising alerts at scale, all at machine speed. Human analysts can leverage their expertise to investigate prioritised alerts, re-prioritise them based on additional context, and provide valuable feedback to the AI system, reducing false positives and ensuring critical alerts are prioritised. This work provides a comprehensive review of the criteria and methods for AP in SOC. We analyse the advantages and disadvantages of the different categories of AP criteria and methods based on HAT, specifically considering automation, augmentation, and collaboration. We also identify several areas for future research. We anticipate that our findings will contribute to the advancement of AP techniques, fostering more effective security incident response in SOCs.\",\"PeriodicalId\":50926,\"journal\":{\"name\":\"ACM Computing Surveys\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":23.8000,\"publicationDate\":\"2024-09-14\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"ACM Computing Surveys\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1145/3695462\",\"RegionNum\":1,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Computing Surveys","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3695462","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

摘要

安全运营中心（SOC）是安全分析人员利用先进技术监控、检测和应对网络事件的专业设施。然而，不断增加的安全事件使安全分析人员应接不暇，导致警报疲劳。通过利用适当的标准和方法，有效的警报优先级排序（AP）成为解决这一问题的关键。人类-人工智能团队（HAT）通过结合人类和人工智能的互补优势，有可能显著提高警报优先级。人工智能擅长以机器速度处理大量警报数据、识别异常情况、揭示隐藏模式并对大规模警报进行优先排序。人类分析师可以利用他们的专业知识来调查已确定优先级的警报，根据额外的上下文重新确定警报的优先级，并向人工智能系统提供有价值的反馈，从而减少误报并确保关键警报得到优先处理。这项工作全面回顾了 SOC 中 AP 的标准和方法。我们分析了基于 HAT 的不同类别 AP 标准和方法的优缺点，特别考虑了自动化、增强和协作。我们还确定了未来研究的几个领域。我们预计，我们的研究结果将有助于提高 AP 技术，促进 SOC 中更有效的安全事件响应。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Alert Prioritisation in Security Operations Centres: A Systematic Survey on Criteria and Methods

Security Operations Centres (SOCs) are specialised facilities where security analysts leverage advanced technologies to monitor, detect, and respond to cyber incidents. However, the increasing volume of security incidents has overwhelmed security analysts, leading to alert fatigue. Effective alert prioritisation (AP) becomes crucial to address this problem through the utilisation of proper criteria and methods. Human-AI teaming (HAT) has the potential to significantly enhance AP by combining the complementary strengths of humans and AI. AI excels in processing large volumes of alert data, identifying anomalies, uncovering hidden patterns, and prioritising alerts at scale, all at machine speed. Human analysts can leverage their expertise to investigate prioritised alerts, re-prioritise them based on additional context, and provide valuable feedback to the AI system, reducing false positives and ensuring critical alerts are prioritised. This work provides a comprehensive review of the criteria and methods for AP in SOC. We analyse the advantages and disadvantages of the different categories of AP criteria and methods based on HAT, specifically considering automation, augmentation, and collaboration. We also identify several areas for future research. We anticipate that our findings will contribute to the advancement of AP techniques, fostering more effective security incident response in SOCs.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

ACM Computing Surveys 工程技术-计算机：理论方法

CiteScore

33.20

自引率

0.60%

发文量

372

审稿时长

12 months

期刊介绍： ACM Computing Surveys is an academic journal that focuses on publishing surveys and tutorials on various areas of computing research and practice. The journal aims to provide comprehensive and easily understandable articles that guide readers through the literature and help them understand topics outside their specialties. In terms of impact, CSUR has a high reputation with a 2022 Impact Factor of 16.6. It is ranked 3rd out of 111 journals in the field of Computer Science Theory & Methods. ACM Computing Surveys is indexed and abstracted in various services, including AI2 Semantic Scholar, Baidu, Clarivate/ISI: JCR, CNKI, DeepDyve, DTU, EBSCO: EDS/HOST, and IET Inspec, among others.