KRAKEN: A Knowledge-Based Recommender system for Analysts, to Kick Exploration up a Notch - Archive ouverte HAL Access content directly
Conference Papers Year :

KRAKEN: A Knowledge-Based Recommender system for Analysts, to Kick Exploration up a Notch

(1) , (2) , (1) , (1)
1
2

Abstract

During a computer security investigation, a security analyst has to explore the logs available to understand what happened in the compromised system. For such tasks, visual analysis tools have been developed to help with log exploration. They provide visualisations of aggregated logs, and help navigate data efficiently. However, even using visualisation tools, the task can still be difficult and tiresome. The amount and the numerous dimensions of the logs to analyse, the potential stealthiness and complexity of the attack may end with the analyst missing some parts of an attack. We offer to help the analyst finding the logs where her expertise is needed rapidly and efficiently. We design a recommender system called KRAKEN that links knowledge coming from advanced attack descriptions into a visual analysis tool to suggest exploration paths. KRAKEN confronts real world adversary knowledge with the investigated logs to dynamically provide relevant parts of the dataset to explore. To evaluate KRAKEN we conducted a user study with seven security analysts. Using our system, they investigated a dataset from the DARPA containing different Advanced Persistent Threat attacks. The results and comments of the security analysts show the usability and usefulness of the recommender system.
Fichier principal
Vignette du fichier
KRAKEN.pdf (523.94 Ko) Télécharger le fichier
Origin : Files produced by the author(s)

Dates and versions

hal-03486546 , version 1 (17-12-2021)

Identifiers

  • HAL Id : hal-03486546 , version 1

Cite

Romain Brisse, Simon Boche, Frédéric Majorczyk, Jean-François Lalande. KRAKEN: A Knowledge-Based Recommender system for Analysts, to Kick Exploration up a Notch. SECITC 2021 - 14th International Conference on Security for Information Technology and Communications, Nov 2021, Virtual, France. pp.1-17. ⟨hal-03486546⟩
141 View
201 Download

Share

Gmail Facebook Twitter LinkedIn More