{"title":"AutoCRAT: Automatic Cumulative Reconstruction of Alert Trees","authors":"Eric Ficke, Raymond M. Bateman, Shouhuai Xu","doi":"arxiv-2409.10828","DOIUrl":null,"url":null,"abstract":"When a network is attacked, cyber defenders need to precisely identify which\nsystems (i.e., computers or devices) were compromised and what damage may have\nbeen inflicted. This process is sometimes referred to as cyber triage and is an\nimportant part of the incident response procedure. Cyber triage is challenging\nbecause the impacts of a network breach can be far-reaching with unpredictable\nconsequences. This highlights the importance of automating this process. In\nthis paper we propose AutoCRAT, a system for quantifying the breadth and\nseverity of threats posed by a network exposure, and for prioritizing cyber\ntriage activities during incident response. Specifically, AutoCRAT\nautomatically reconstructs what we call alert trees, which track network\nsecurity events emanating from, or leading to, a particular computer on the\nnetwork. We validate the usefulness of AutoCRAT using a real-world dataset.\nExperimental results show that our prototype system can reconstruct alert trees\nefficiently and can facilitate data visualization in both incident response and\nthreat intelligence analysis.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-09-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Cryptography and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.10828","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
When a network is attacked, cyber defenders need to precisely identify which
systems (i.e., computers or devices) were compromised and what damage may have
been inflicted. This process is sometimes referred to as cyber triage and is an
important part of the incident response procedure. Cyber triage is challenging
because the impacts of a network breach can be far-reaching with unpredictable
consequences. This highlights the importance of automating this process. In
this paper we propose AutoCRAT, a system for quantifying the breadth and
severity of threats posed by a network exposure, and for prioritizing cyber
triage activities during incident response. Specifically, AutoCRAT
automatically reconstructs what we call alert trees, which track network
security events emanating from, or leading to, a particular computer on the
network. We validate the usefulness of AutoCRAT using a real-world dataset.
Experimental results show that our prototype system can reconstruct alert trees
efficiently and can facilitate data visualization in both incident response and
threat intelligence analysis.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
