Improving Cybersecurity Incident Analysis Workflow with Analytical Provenance

Investor logo

Warning

This publication doesn't include Faculty of Arts. It includes Institute of Computer Science. Official publication website can be found on muni.cz.
Authors

RUSŇÁK Vít JANEČKOVÁ Lenka DRGOŇ Filip DOMBAJOVÁ Anna-Marie KUDĚLKOVÁ Veronika

Year of publication 2022
Type Article in Proceedings
Conference 2022 26th International Conference Information Visualisation (IV)
MU Faculty or unit

Institute of Computer Science

Citation
web https://doi.org/10.1109/IV56949.2022.00058
Doi http://dx.doi.org/10.1109/IV56949.2022.00058
Keywords cybersecurity; incident analysis; analytical provenance; explorative data analysis
Attached files
Description Cybersecurity incident analysis is an exploratory, data-driven process over records and logs from network monitoring tools. The process is rarely linear and frequently breaks down into multiple investigation branches. Analysts document all the steps and lessons learned and suggest mitigations. However, current tools provide only limited support for analytical provenance. As a result, analysts have to record all the details regarding the performed steps and notes in separate documents. Such a procedure increases their cognitive demands and is naturally error-prone. This paper proposes a conceptual design of the analytical tool implementing means of analytical provenance in cybersecurity incident analysis workflows. We identified the user requirements and designed and implemented a proof of concept prototype application Incident Analyzer. Qualitative feedback from four domain experts confirmed that our approach is promising and can significantly improve current cybersecurity and network incident analysis practices.
Related projects:

You are running an old browser version. We recommend updating your browser to its latest version.