Strategic selection of data sources for cyber attack detection in enterprise networks: a survey and approach

Strategic selection of data sources for cyber attack detection in enterprise networks: a survey and approach

연구 분야: Safety

학회: SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing

Cyber attacks leave traces in data sources, such as in log files, memory or data-streams. Detection systems utilize these data sources to detect the application of specific attack techniques. Attack techniques vary considerably in terms of their effectiveness, potential impact and application by threat actors. Data sources, on the other side, may contain traces of one or several attack techniques, and the effort to process their output may differ heavily. Therefore, it is obvious that not all data sources are of equal value for detection and organizations must carefully survey which sources shall be analyzed and what attack techniques need to be found. This paper introduces D3TECT, a process model that describes a procedure for dynamically ranking and selecting data sources suitable for detection. The novelty is that this model accounts for constraints in the selection process. For instance if a certain data source cannot be utilized in a specific setting, e.g., due to data privacy constraints, the discovery of the most important attack techniques are still ensured by the remaining data sources. Eventually, the D3TECT approach solves the challenge of strategically selecting data sources while accounting for their varying usefulness for attack detection. The model is tested with real data, utilizing the MITRE ATT&CK framework and numerous public cyber threat intelligence databases. The paper shows the ranking results and discusses their plausibility to validate D3TECT.