Information-Pooling Bias in Collaborative Security Incident Correlation Analysis

2018 ◽  
Vol 60 (5) ◽  
pp. 626-639 ◽  
Author(s):  
Prashanth Rajivan ◽  
Nancy J. Cooke
Keyword(s):  
Correlation Analysis ◽  
Past Research ◽  
Threat Detection ◽  
Communication Analysis ◽  
Security Analysts ◽  
Security Incident ◽  
Unique Information ◽  
Cognitive Limitations ◽  
Information Pooling ◽  
Security Incidents

Objective: Incident correlation is a vital step in the cybersecurity threat detection process. This article presents research on the effect of group-level information-pooling bias on collaborative incident correlation analysis in a synthetic task environment. Background: Past research has shown that uneven information distribution biases people to share information that is known to most team members and prevents them from sharing any unique information available with them. The effect of such biases on security team collaborations are largely unknown. Method: Thirty 3-person teams performed two threat detection missions involving information sharing and correlating security incidents. Incidents were predistributed to each person in the team based on the hidden profile paradigm. Participant teams, randomly assigned to three experimental groups, used different collaboration aids during Mission 2. Results: Communication analysis revealed that participant teams were 3 times more likely to discuss security incidents commonly known to the majority. Unaided team collaboration was inefficient in finding associations between security incidents uniquely available to each member of the team. Visualizations that augment perceptual processing and recognition memory were found to mitigate the bias. Conclusion: The data suggest that (a) security analyst teams, when conducting collaborative correlation analysis, could be inefficient in pooling unique information from their peers; (b) employing off-the-shelf collaboration tools in cybersecurity defense environments is inadequate; and (c) collaborative security visualization tools developed considering the human cognitive limitations of security analysts is necessary. Application: Potential applications of this research include development of team training procedures and collaboration tool development for security analysts.

Modeling Information Pooling Bias in Incident Response Teams: An Agent Based Modeling Approach

2020 ◽  
Vol 64 (1) ◽  
pp. 436-440
Author(s):  
Prashanth Rajivan ◽  
Nancy J. Cooke
Keyword(s):  
Correlation Analysis ◽  
Information Exchange ◽  
Memory Search ◽  
Past Research ◽  
Cyber Attacks ◽  
Search Process ◽  
Search Model ◽  
Agent Based ◽  
Information Pooling ◽  
And Performance

Security analysts regularly correlate disparate incidents to detect cyber-attacks. However, past research shows that team-based incident correlation analysis may be affected by information pooling bias. This article presents findings from an agent-based model used to explore the cognitive processes hypothesized to be causing this bias during information exchange within a team. The model simulated information exchange between three analysts conducting incident correlation analysis by searching for information available with them about the different incidents. Three models of memory search process were compared: Random, Local, and Memory-aided search. Results from the simulation show that agents in a local search model, compared to memory-aided search model, shared more often the information known to majority in the team. Comparing model results with data from lab experiments suggest that teams, by default, may be employing a heuristic search process during information exchange leading to sub-optimal team processes and performance.

scholarly journals Prevention of Information Security Incidents in Automated Information System

2020 ◽  
pp. 45-51
Author(s):  
Igor Butusov ◽  
◽  
Aleksandr Romanov ◽  
Keyword(s):  
Information System ◽  
Information Security ◽  
Theoretical Computer Science ◽  
Structured Data ◽  
Fuzzy Information ◽  
Security Incident ◽  
Automated Information System ◽  
Computer Attacks ◽  
Stored Information ◽  
Security Incidents

The purpose of the article is to support the processes of preventing information security incidents in conditions of high uncertainty. Method: methods of mathematical (theoretical) computer science and fuzzy set theory. Result: an information security Incident, including a computer incident, is considered as a violation or termination of the functioning of an automated information system and (or) a violation of information stored and processed in this system, including those caused by a computer attack. Information descriptions are presented in the form of structured data about signs of computer attacks. Structured data is the final sequence of strings of symbols in a formal language. The Damerau-Levenstein editorial rule is proposed as a metric for measuring the distance between strings of characters from a particular alphabet. The possibility of presenting the semantics of information descriptions of attack features in the form of fuzzy sets is proved. Thresholds (degrees) of separation of fuzzy information descriptions are defined. The influence of semantic certainty of information descriptions of features (degrees of blurring of fuzzy information descriptions) on the decision-making about their identity (similarity) is evaluated. It is shown that the semantic component of information descriptions of signs of computer attacks presupposes the presence of some semantic metric (for its measurement and interpretation), which, as a rule, is formally poorly defined, ambiguously interpreted and characterized by uncertainty of the type of fuzziness, the presence of semantic information and the inability to directly apply a probabilistic measure to determine the degree of similarity of input and stored information descriptions of signs. An approach is proposed to identify fuzzy information descriptions of computer attacks and to apply methods for separating elements of reference sets on which these information descriptions are defined. It is shown that the results of the procedure for identifying fuzzy information descriptions of computer attacks depend on the degree of separation of the reference sets and on the indicators of semantic uncertainty of these descriptions

Network threat detection based on correlation analysis of multi-platform multi-source alert data

2018 ◽  
Vol 79 (45-46) ◽  
pp. 33349-33363 ◽  
Author(s):  
Xindai Lu ◽  
Jiajia Han ◽  
Qianbo Ren ◽  
Hua Dai ◽  
Jiyuan Li ◽  
...  
Keyword(s):  
Correlation Analysis ◽  
Threat Detection

RESEARCH OF IRP SYSTEMS BASED ON THE ANALYSIS OF MECHANISMS OF RESPONSE TO INFORMATION SECURITY INCIDENTS

2021 ◽  
Vol 53 (1) ◽  
pp. 74-82
Author(s):  
ANDREY R. OCHEREDKO ◽  
◽  
DMITRIY A. BACHMANOV ◽  
MICHAEL M. PUTYATO ◽  
ALEXANDER S. MAKARYAN ◽  
...  
Keyword(s):  
Information Security ◽  
Software Implementation ◽  
Incident Response ◽  
Security Incident ◽  
Expert Opinions ◽  
Python Language ◽  
Phishing Attacks ◽  
Comparison Results ◽  
Response Systems ◽  
Security Incidents

The article discusses the features and functions of information security incident response systems. The analysis of modern IRP solutions is presented and the process of responding to typical incidents in systems of this class is described. Based on expert opinions, a list of criteria was formed, which were divided into groups by areas of functional responsibility for further comparison of the work of IRP systems. The assessment of the main and additional characteristics of IRP-systems was carried out using the formed criterion groups. The analysis of the comparison results showed that the most promising solutions are R-Vision IRP, IBM Resilient IRP and open-source solution - The Hive. The algorithm of the module for preventing phishing attacks was developed and presented, the software implementation of which was made using the Python language. As part of the integration capabilities of The Hive, a custom response function was implemented that not only potentially improved the system's performance in preventing phishing attacks, but also increased employee awareness of this threat. The result is an IRP system with personal flexible customization of individual elements and is the basis for the formation of the Security Center (SOC), which will bring the information security of organizations to a new level.

Designing and Evaluating an Automatic Forensic Model for Fast Response of Cross-border E-commerce Security Incidents

2022 ◽  
Vol 30 (2) ◽  
pp. 0-0
Keyword(s):  
Global Economy ◽  
Domain Knowledge ◽  
Rapid Development ◽  
Fast Response ◽  
Cyber Attacks ◽  
Prototype System ◽  
Privacy And Security ◽  
Security Incident ◽  
Cross Border ◽  
Security Incidents

The rapid development of cross-border e-commerce over the past decade has accelerated the integration of the global economy. At the same time, cross-border e-commerce has increased the prevalence of cybercrime, and the future success of e-commerce depends on enhanced online privacy and security. However, investigating security incidents is time- and cost-intensive as identifying telltale anomalies and the source of attacks requires the use of multiple forensic tools and technologies and security domain knowledge. Prompt responses to cyber-attacks are important to reduce damage and loss and to improve the security of cross-border e-commerce. This article proposes a digital forensic model for first incident responders to identify suspicious system behaviors. A prototype system is developed and evaluated by incident response handlers. The model and system are proven to help reduce time and effort in investigating cyberattacks. The proposed model is expected to enhance security incident handling efficiency for cross-border e-commerce.

scholarly journals A Compression-Based Method for Detecting Anomalies in Textual Data

Entropy ◽  
2021 ◽  
Vol 23 (5) ◽  
pp. 618
Author(s):  
Gonzalo de la Torre-Abaitua ◽  
Luis F. Lago-Fernández ◽  
David Arroyo
Keyword(s):  
Information And Communications Technology ◽  
Support Vector ◽  
Security Analysts ◽  
Defence Mechanisms ◽  
Plain Text ◽  
Malicious Activity ◽  
Log Files ◽  
System Integrity ◽  
Textual Data ◽  
Security Incidents

Nowadays, information and communications technology systems are fundamental assets of our social and economical model, and thus they should be properly protected against the malicious activity of cybercriminals. Defence mechanisms are generally articulated around tools that trace and store information in several ways, the simplest one being the generation of plain text files coined as security logs. Such log files are usually inspected, in a semi-automatic way, by security analysts to detect events that may affect system integrity, confidentiality and availability. On this basis, we propose a parameter-free method to detect security incidents from structured text regardless its nature. We use the Normalized Compression Distance to obtain a set of features that can be used by a Support Vector Machine to classify events from a heterogeneous cybersecurity environment. In particular, we explore and validate the application of our method in four different cybersecurity domains: HTTP anomaly identification, spam detection, Domain Generation Algorithms tracking and sentiment analysis. The results obtained show the validity and flexibility of our approach in different security scenarios with a low configuration burden.

scholarly journals Security Assurance Modelling of Security Incident in Healthcare using the Generic Security Template (GST)

2020 ◽  
Author(s):  
Ying He ◽  
Cunjin Luo
Keyword(s):  
Healthcare Services ◽  
Healthcare Organization ◽  
Lessons Learned ◽  
Security Requirements ◽  
Healthcare Sector ◽  
Healthcare Organizations ◽  
Security Incident ◽  
Security Assurance ◽  
Security Incidents

Abstract Background: The recent industry reports show that the number of security incidents in healthcare sector is still increasing, especially the high severity incident, such as data leakage incident and ransomware, which can lead to significant impact on healthcare services. It is imperative for the organizations to learn lessons from those incidents. Traditional ways to disseminate lessons learned are based on text approach, the linear format of which can obscure relationships among concepts and discourage readers from integrating information across ideas. Graphical diagrams can serve this purpose, as it can communicate both individual elements of information and relationships between them. Methods: The Generic Security Template (GST) has been proposed to support the exchange of lessons learned from security incidents. It utilises graphical notations to communicate both individual elements of information and relationships between them. This paper conducts a case study by adopting the GST to capture and structure the incident information of a data leakage incident in a UK healthcare organization in order to facilitate incident exchange. Results: The results show that, the GST was able to visualise and depict the key elements, including lessons learned, the associated security requirements and organizational contextual information identified from the selected data leakage incident case study from NHS. GST provides a unified way to communicate incident information. Conclusions: This research has significance for the healthcare organizations to improve their incident learning practices. It fosters an environment where different stakeholders can speak the same language while exchanging the lessons learned from the security incidents. Future work will consider apply the GST to analyse other complex security incidents such as the advanced persistent threats (APTs) in healthcare organizations and extend the use of the GST in other industries. Keywords: Security Assurance Modelling, Generic Security Template (GST), Security Incident, Healthcare Organization.

scholarly journals Security event data collection and analysis in large corporate networks

2019 ◽  
pp. 233-241
Author(s):  
E V Chernova ◽  
P N Polezhaev ◽  
A E Shukhman ◽  
Yu A Ushakov ◽  
I P Bolodurina ◽  
...  
Keyword(s):  
Computer Networks ◽  
Computer Network ◽  
Streaming Data ◽  
Critical Systems ◽  
Security Incident ◽  
Corporate Networks ◽  
Detection And Identification ◽  
High Level ◽  
Customer Trust ◽  
Security Incidents

Every year computer networks become more complex, which directly affects the provision of a high level of information security. Different commercial services, critical systems, and information resources prevailing in such networks are profitable targets for terrorists, cyber-spies, and criminals. The consequences range from the theft of strategic, highly valued intellectual property and direct financial losses to significant damages to a brand and customer trust. Attackers have the advantage in complex computer networks – it is easier to hide their tracks. The detection and identification of security incidents are the most important and difficult tasks. It is required to detect security incidents as soon as possible, to analyze and respond to them correctly, so as not to complicate the work of the enterprise computer network. The difficulty is that different event sources offer different data formats or can duplicate events. In addition, some events do not indicate any problems on their own, but their sequence may indicate the presence of a security incident. All collection processes of security events must be performed in real-time, which means streaming data processing.

scholarly journals One of the main functions of an information security system is the identification of any access subject to be able to investigate information security incidents. During executing procedures of scanning and vulnerability exploitation, qualified adversaries

2018 ◽  
Vol 6 (61) ◽  
pp. 147-171 ◽  
Author(s):  
Andrey Iskhakov ◽  
Anastasia Iskhakova ◽  
Roman Meshcheryakov ◽  
Reda Bendraou ◽  
Olga Melekhova
Keyword(s):  
Information Security ◽  
Data Entry ◽  
Main Idea ◽  
Security System ◽  
Practical Implementation ◽  
Data Layout ◽  
Statistical Parameters ◽  
Security Incident ◽  
Universal Instrument ◽  
Security Incidents

One of the main functions of an information security system is the identification of any access subject to be able to investigate information security incidents. During executing procedures of scanning and vulnerability exploitation, qualified adversaries regularly change identifying features. Such operations can not only obfuscate logging the data in subsystems, thus, complicating the restoring of events chronology for an information security expert but also call into question the irrefutability of the evidence of participation of particular adversary to particular illegal operations. In the paper analyses of application of modern approaches of adversary identification in web resources, which does not require authentification of main part of users, is given (fingerprinting, analysis of behavioral features). Along with widely used in web analytics “thermal maps”, user adapted profile and computer model of dynamics of “user-mouse” system, authors offer to identify the subjects of information security incident in readily available informational resources of the Internet. The main idea of the prospective approach consists of the following: when a thermal map is built, not only the density of data layout should be considered but also statistical parameters should be defined by an expert (the distance of intensity gradient, distance overlap, etc.). The authors also offer to consider the dynamics of user operations (e.g. calculation of the average duration of data entry into interactive elements). A description of each step of an appropriate technique and also information on its practical implementation are given. Robustness of the given approach is confirmed by a practical experiment. The offered technique is not a universal instrument of adversary identification . Only manual targeted attacks are considered, the cURL tools etc. used by adversaries are not taken into account. Therefore, it is recommended to use this technique exclusively in addition to working protective systems (WAF, IPS, IDS).

Sign in / Sign up

Export Citation Format

Share Document