University of Twente Student Theses
Enhancing Explainability in Alert Triaging for Improved Security Event Analysis : Integrating Domain-Specific Knowledge from the MITRE ATT&CK Framework
Hoogendijk, R. (2024) Enhancing Explainability in Alert Triaging for Improved Security Event Analysis : Integrating Domain-Specific Knowledge from the MITRE ATT&CK Framework.
|
PDF
1MB |
| Abstract: | This study attempts to enhance cyber attack analysis by integrating the MITRE ATT&CK Framework into an alert triaging tool, aiming to improve visualization and explanation of entire cyber kill chains. For this study, we attempt to do this for the tool DeepCASE. DeepCASE clusters events based on contextual similarity. The methodology involved mapping security events to MITRE ATT&CK techniques, organizing them into phases, and plotting them in a graph-like attack structure. DeepCASE was then used to identify the most probable attack path within this structure. The evaluation tested assumptions such as the mapping to the MITRE ATT&CK Framework, the method used to create the attack graphs, and how paths are found in these graphs. Results indicate that while the methodology struggles to reliably find attack paths, several adjustments could enhance performance. Potential improvements include better event mapping to the MITRE ATT&CK Framework, using a dependency graph instead of phases, and integrating additional frameworks and tools. |
| Item Type: | Essay (Master) |
| Clients: | KPMG, Amstelveen, Netherlands |
| Faculty: | EEMCS: Electrical Engineering, Mathematics and Computer Science |
| Subject: | 54 computer science |
| Programme: | Computer Science MSc (60300) |
| Link to this item: | https://purl.utwente.nl/essays/102783 |
| Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Show download statistics for this publication
Show download statistics for this publicationRepository Staff Only: item control page