Improving Cybersecurity Incident Analysis Workflow with Analytical Provenance
| Authors | |
|---|---|
| Year of publication | 2022 |
| Type | Article in Proceedings |
| Conference | 2022 26th International Conference Information Visualisation (IV) |
| MU Faculty or unit | |
| Citation | |
| Web | https://doi.org/10.1109/IV56949.2022.00058 |
| Doi | http://dx.doi.org/10.1109/IV56949.2022.00058 |
| Keywords | cybersecurity; incident analysis; analytical provenance; explorative data analysis |
| Attached files | |
| Description | Cybersecurity incident analysis is an exploratory, data-driven process over records and logs from network monitoring tools. The process is rarely linear and frequently breaks down into multiple investigation branches. Analysts document all the steps and lessons learned and suggest mitigations. However, current tools provide only limited support for analytical provenance. As a result, analysts have to record all the details regarding the performed steps and notes in separate documents. Such a procedure increases their cognitive demands and is naturally error-prone. This paper proposes a conceptual design of the analytical tool implementing means of analytical provenance in cybersecurity incident analysis workflows. We identified the user requirements and designed and implemented a proof of concept prototype application Incident Analyzer. Qualitative feedback from four domain experts confirmed that our approach is promising and can significantly improve current cybersecurity and network incident analysis practices. |
| Related projects: |