Improving Cybersecurity Incident Analysis Workflow with Analytical Provenance

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14610%2F22%3A00126006" target="_blank" >RIV/00216224:14610/22:00126006 - isvavai.cz</a>

Výsledek na webu

<a href="http://dx.doi.org/10.1109/IV56949.2022.00058" target="_blank" >http://dx.doi.org/10.1109/IV56949.2022.00058</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1109/IV56949.2022.00058" target="_blank" >10.1109/IV56949.2022.00058</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Improving Cybersecurity Incident Analysis Workflow with Analytical Provenance

Popis výsledku v původním jazyce

Cybersecurity incident analysis is an exploratory, data-driven process over records and logs from network monitoring tools. The process is rarely linear and frequently breaks down into multiple investigation branches. Analysts document all the steps and lessons learned and suggest mitigations. However, current tools provide only limited support for analytical provenance. As a result, analysts have to record all the details regarding the performed steps and notes in separate documents. Such a procedure increases their cognitive demands and is naturally error-prone. This paper proposes a conceptual design of the analytical tool implementing means of analytical provenance in cybersecurity incident analysis workflows. We identified the user requirements and designed and implemented a proof of concept prototype application Incident Analyzer. Qualitative feedback from four domain experts confirmed that our approach is promising and can significantly improve current cybersecurity and network incident analysis practices.

Název v anglickém jazyce

Improving Cybersecurity Incident Analysis Workflow with Analytical Provenance

Popis výsledku anglicky

Cybersecurity incident analysis is an exploratory, data-driven process over records and logs from network monitoring tools. The process is rarely linear and frequently breaks down into multiple investigation branches. Analysts document all the steps and lessons learned and suggest mitigations. However, current tools provide only limited support for analytical provenance. As a result, analysts have to record all the details regarding the performed steps and notes in separate documents. Such a procedure increases their cognitive demands and is naturally error-prone. This paper proposes a conceptual design of the analytical tool implementing means of analytical provenance in cybersecurity incident analysis workflows. We identified the user requirements and designed and implemented a proof of concept prototype application Incident Analyzer. Qualitative feedback from four domain experts confirmed that our approach is promising and can significantly improve current cybersecurity and network incident analysis practices.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

<a href="/cs/project/EF16_019%2F0000822" target="_blank" >EF16_019/0000822: Centrum excelence pro kyberkriminalitu, kyberbezpečnost a ochranu kritických informačních infrastruktur</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2022

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

2022 26th International Conference Information Visualisation (IV)

ISBN

9781665490078

ISSN

—

e-ISSN

—

Počet stran výsledku

7

Strana od-do

300-306

Název nakladatele

IEEE

Místo vydání

Vienna, Austria

Místo konání akce

Vienna

Datum konání akce

19. 7. 2022

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

—