Reconstructing Alert Trees for Cyber Triage
Cyber defense operators are often confronted with a large amount of data, such as alerts generated by intrusion detection systems. Much of this data is misleading or even counterproductive in the pursuit of effective and efficient defense. The field of Cyber Triage aims to pinpoint threats to a network and provide defenders with the data pertinent to these pursuits. This turns out to be a challenging task because many cyber attacks are conducted in multiple steps and cannot be matched by existing cyber defense tools, which tend to focus on specific hosts or network links. Towards bridging this gap, this Dissertation presents a systematic study on the innovative notions of alert paths and alert trees, which present a given set of seemingly unrelated alerts in a meaningful structure. Specifically, the Dissertation makes three contributions: (i) it investigates how to formulate alerts into alert paths to make sense of them; (ii) it investigates how to formulate alerts into alert tress to most systematically represent the corresponding threats; (iii) it investigates how to reduce the sizes of these trees without losing useful information, in order to make it more feasible to visualize alert trees. For these purposes, the Dissertation presents suites of algorithms, which are validated via real-world datasets.