Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

AutoCRAT: Automatic Cumulative Reconstruction of Alert Trees

Eric Ficke, Raymond M. Bateman, Shouhuai Xu

TL;DR

This paper proposes AutoCRAT, a system for quantifying the breadth and severity of threats posed by a network exposure, and for prioritizing cyber triage activities during incident response, and shows that the usefulness of AutoCRAT is validated using a real-world dataset.

Abstract

When a network is attacked, cyber defenders need to precisely identify which systems (i.e., computers or devices) were compromised and what damage may have been inflicted. This process is sometimes referred to as cyber triage and is an important part of the incident response procedure. Cyber triage is challenging because the impacts of a network breach can be far-reaching with unpredictable consequences. This highlights the importance of automating this process. In this paper we propose AutoCRAT, a system for quantifying the breadth and severity of threats posed by a network exposure, and for prioritizing cyber triage activities during incident response. Specifically, AutoCRAT automatically reconstructs what we call alert trees, which track network security events emanating from, or leading to, a particular computer on the network. We validate the usefulness of AutoCRAT using a real-world dataset. Experimental results show that our prototype system can reconstruct alert trees efficiently and can facilitate data visualization in both incident response and threat intelligence analysis.

AutoCRAT: Automatic Cumulative Reconstruction of Alert Trees

TL;DR

This paper proposes AutoCRAT, a system for quantifying the breadth and severity of threats posed by a network exposure, and for prioritizing cyber triage activities during incident response, and shows that the usefulness of AutoCRAT is validated using a real-world dataset.

Abstract

When a network is attacked, cyber defenders need to precisely identify which systems (i.e., computers or devices) were compromised and what damage may have been inflicted. This process is sometimes referred to as cyber triage and is an important part of the incident response procedure. Cyber triage is challenging because the impacts of a network breach can be far-reaching with unpredictable consequences. This highlights the importance of automating this process. In this paper we propose AutoCRAT, a system for quantifying the breadth and severity of threats posed by a network exposure, and for prioritizing cyber triage activities during incident response. Specifically, AutoCRAT automatically reconstructs what we call alert trees, which track network security events emanating from, or leading to, a particular computer on the network. We validate the usefulness of AutoCRAT using a real-world dataset. Experimental results show that our prototype system can reconstruct alert trees efficiently and can facilitate data visualization in both incident response and threat intelligence analysis.
Paper Structure (10 sections, 1 equation, 4 figures, 5 tables, 2 algorithms)

This paper contains 10 sections, 1 equation, 4 figures, 5 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Problem Statement
  3. The AutoCRAT System
  4. Database
  5. Core
  6. Case Study
  7. Dataset
  8. Experimental Results
  9. Limitations
  10. Conclusion

Figures (4)

  • Figure 1: Architecture of the AutoCRAT system
  • Figure 2: Example alert tree coloring, where the root is black, the child is red (ETS 179.10), and the grandchild is very nearly black (color code 0x0D0000 and ETS 10.49).
  • Figure 3: A forward tree containing eight vertices, colored red to black based on normalized ETS, descending. Of the four leaves (i.e., path targets), the reddest vertex, which represents the endpoints $(172.31.66.101,52.87.201.4)$ scored an ETS of 5.92 with 35 alerts sharing a single $ID$.
  • Figure 4: A backward tree containing eight verticess, colored red to black based on normalized ETS, descending. Of the six leaves (i.e., path origins), the reddest vertex, which represents the endpoints $(92.63.197.12,172.31.66.22)$ scored an ETS of 7.35 with 54 alerts sharing a single $ID$.

Theorems & Definitions (5)

  • definition thmcounterdefinition: Alert
  • definition thmcounterdefinition: Alert Graph
  • definition thmcounterdefinition: Alert Path
  • definition thmcounterdefinition: Alert Tree
  • definition thmcounterdefinition: Threat Score (TS)