Comprehending Security Events: Context-Based Identification and Explanation

Research output: ThesisPhD Thesis - Research UT, graduation UT

191 Downloads (Pure)

Abstract

With the increased sophistication of cyber attacks, organizations are under constant threat of data breaches, disruption of business processes and reputation loss.
As preventive measures are not infallible, organizations have started to more closely monitor their devices and network infrastructure for malicious activity.
By swift detection of an attack at an early stage, organizations can take mitigating actions limiting the impact to their organization.
This detection is performed by a Security Operations Center (SOC) deploying automated detectors that monitor devices and network traffic for suspicious events.
This thesis aims to better understand security events and applies that knowledge to develop approaches that assist (semi-)automated analysis.

Concretely, we first investigate the process of sharing threat intelligence through reports describing high-level tactics and techniques used by attackers.
In doing so, we develop a natural language processing framework that automatically extracts actionable threat intelligence and classifies it into the ATT&CK knowledge base, a framework describing threat models and methodologies.
Second, we study the event investigation process known as triaging.
Here, we develop an approach that semi-automatically analyses security events in the context of other security events to determine the overall risk level.
Third, we deeper investigate security events on the network level and devise an approach that clusters encrypted network traffic according to the application that produced it.
This allows security operators a deeper understanding of network traffic and allows them to more effectively block malicious activity.
Finally, we perform a case study where we apply the methods developed in this work to the domain of identity and access management policies to identify misconfigurations.
This case study demonstrates the potential for our methods in future work.

Combining these findings, we conclude that these approaches bring us a step closer to understanding security events and providing adequate responses.
Original languageEnglish
QualificationDoctor of Philosophy
Awarding Institution
  • University of Twente
Supervisors/Advisors
  • van Steen, Maarten, Supervisor
  • Peter, Andreas, Supervisor
  • Continella, Andrea, Co-Supervisor
Award date24 Nov 2023
Place of PublicationEnschede
Publisher
Print ISBNs978-90-365-5888-4
Electronic ISBNs978-90-365-5889-1
DOIs
Publication statusPublished - 24 Nov 2023

Fingerprint

Dive into the research topics of 'Comprehending Security Events: Context-Based Identification and Explanation'. Together they form a unique fingerprint.

Cite this