Toward a visualization-supported workflow for cyber alert management using threat models and human-centered design

Cyber network analysts follow complex processes in their investigations of potential threats to their network. Much research is dedicated to providing automated decision support in the effort to make their tasks more efficient, accurate, and timely. Support tools come in a variety of implementations from machine learning algorithms that monitor streams of data to visual analytic environments for exploring rich and noisy data sets. Cyber analysts, however, need tools which help them merge the data they already have and help them establish appropriate baselines against which to compare anomalies. Furthermore, existing threat models that cyber analysts regularly use to structure their investigation are not often leveraged in support tools. We report on our work with cyber analysts to understand the analytic process and how one such model, the MITRE ATT&CK Matrix [42], is used to structure their analytic thinking. We present our efforts to map specific data needed by analysts into this threat model to inform our visualization designs. We leverage this expert knowledge elicitation to identify a capability gaps that might be filled with visual analytic tools. We propose a prototype visual analytic-supported alert management workflow to aid cyber analysts working with threat models.

[1]  Dawn M. Cappelli,et al.  The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes , 2012 .

[2]  Víctor M. González,et al.  No task left behind?: examining the nature of fragmented work , 2005, CHI.

[3]  P. Hancock,et al.  The Human Factors of Cyber Network Defense , 2015 .

[4]  Deborah A. Frincke,et al.  Combining Traditional Cyber Security Audit Data with Psychosocial Data: Towards Predictive Modeling for Insider Threat Mitigation , 2010, Insider Threats in Cyber Security.

[5]  Robert G. Abbott,et al.  Factors Impacting Performance in Competitive Cyber Exercises. , 2014 .

[6]  John McHugh,et al.  An Anthropological Approach to Studying CSIRTs , 2014, IEEE Security & Privacy.

[7]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[8]  Ulrik Franke,et al.  Cyber situational awareness - A systematic review of the literature , 2014, Comput. Secur..

[9]  Wayne G. Lutters,et al.  Focusing on context in network traffic analysis , 2006, IEEE Computer Graphics and Applications.

[10]  Leslie M. Blaha,et al.  Interface Metaphors for Interactive Machine Learning , 2017, HCI.

[11]  Alex Endert,et al.  7 key challenges for visualization in cyber network defense , 2014, VizSEC.

[12]  Raheem A. Beyah,et al.  NAVSEC: a recommender system for 3D network security visualizations , 2013, VizSec '13.

[13]  Dawn M. Cappelli,et al.  Common Sense Guide to Mitigating Insider Threats 4th Edition , 2012 .

[14]  Diane Staheli,et al.  Unlocking user-centered design methods for building cyber security visualizations , 2015, 2015 IEEE Symposium on Visualization for Cyber Security (VizSec).

[15]  James C. Christensen,et al.  Human Factors in Cyber Warfare II , 2014 .

[16]  John Blitzer,et al.  Intelligent Email: Aiding Users with AI , 2008, AAAI.

[17]  Brian Hutchinson,et al.  Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams , 2017, AAAI Workshops.

[18]  Edwin R. Burtner,et al.  Streaming Visual Analytics Workshop Report , 2016 .

[19]  AbdulMalik S. Al-Salman,et al.  Visualizing PHPIDS log files for better understanding of web server attacks , 2013, VizSec '13.

[20]  Gary Klein,et al.  Making Sense of Sensemaking 2: A Macrocognitive Model , 2006, IEEE Intelligent Systems.

[21]  Celeste Lyn Paul Human-Centered Study of a Network Operations Center: Experience Report and Lessons Learned , 2014, SIW '14.

[22]  Robert S. Gutzwiller,et al.  A task analysis toward characterizing cyber-cognitive situation awareness (CCSA) in cyber defense analysts , 2016, 2016 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA).

[23]  Alex Endert,et al.  Toward Theoretical Techniques for Measuring the Use of Human Effort in Visual Analytic Systems , 2017, IEEE Transactions on Visualization and Computer Graphics.

[24]  Konstantin Beznosov,et al.  Towards understanding IT security professionals and their tools , 2007, SOUPS '07.

[25]  Adam Wynne,et al.  Real-time visualization of network behaviors for situational awareness , 2010, VizSec '10.

[26]  Christophe Bidan,et al.  ELVIS: Extensible Log VISualization , 2013, VizSec '13.

[27]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[28]  Chris North,et al.  Visualizing cyber security: Usable workspaces , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[29]  Niels Taatgen,et al.  What Makes Interruptions Disruptive?: A Process-Model Account of the Effects of the Problem State Bottleneck on Task Interruption and Resumption , 2015, CHI.

[30]  P. Pirolli,et al.  The Sensemaking Process and Leverage Points for Analyst Technology as Identified Through Cognitive Task Analysis , 2007 .

[31]  Frank L. Greitzer,et al.  Modeling Human Behavior to Anticipate Insider Attacks , 2011 .

[32]  Jarke J. van Wijk,et al.  Understanding the context of network traffic alerts , 2016, 2016 IEEE Symposium on Visualization for Cyber Security (VizSec).