An Intelligent Security Operation Technology System Framework AISecOps

doi:10.11871/jfdc.issn.2096-742X.2021.03.004

Abstract

Abstract:

[Objective] Based on the practice of AI-driven security and data-driven threat hunting technologies and targeting at the automation and intelligence pursuing for security operations (SecOps), this paper summarizes the evolution of SecOps processes and aims at offering a systematic methodology for technology development in this domain.[Methods] We propose the system framework for AISecOps (AI-driven Security operations) technologies from multi-level perspectives, such as core concepts, evaluation metrics, data categories, system architectures, maturity levels, classification for advanced technologies and so on. [Results] AISecOps fits to the adversarial environment in cyberspace and is responsible for key indicators and critical procedures in SecOps. Behavioral, environmental, intelligence, and knowledge data are fused with human-machine intelligent interfaces, contributing to the promotion of SecOps automation levels.[Conclusions] AISecOps technologies are far from mature at present. Trustworthy security intelligence with outstanding prediction performance, interpretability, robust and compliance properties is the ultimate goal to seek in the SecOps automation process.

Key words: AISecOps, AI-driven security, explainable artificial intelligence, threat hunting

ZHANG Runzi,LIU Wenmao. An Intelligent Security Operation Technology System Framework AISecOps[J]. Frontiers of Data and Computing, 2021, 3(3): 32-47.

Figures/Tables 9

Fig.1

Table 1

Fig.2

Fig.3

Fig.4

Fig.5

Fig.6

Fig.7

Fig.8

References 25

[1]	Gartner. Security Operations Primer for 2020[EB/OL]. https://www.gartner.com/en/documents/3978969/security-operations-primer-for-2020, 2020-01-02/2021-03-07.
[2]	Friedberg I, Skopik F, Settanni G, et al. Combating advan-ced persistent threats: From network event correlation to incident detection[J]. Computers & Security, 2015, 48(7):35-57. doi: 10.1016/j.cose.2014.09.006
[3]	张润滋, 刘文懋, 尤扬, 解烽. AISecOps自动化能力分级与技术趋势研究[J]. 信息网络安全, 2020, 20(09):22-26.
[4]	Dang Y, Lin Q, Huang P. AIOps: real-world challenges and research innovations[C]. 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), 2019: 4-5.
[5]	Rowley J. The wisdom hierarchy: representations of the DIKW hierarchy[J]. Journal of information science, 2007, 33(2):163-180. doi: 10.1177/0165551506070706
[6]	Noel S, Harley E, Tam K H, et al. Chapter 4 - CyGraph: Graph-Based Analytics and Visualization for Cyberse-curity[M]. Handbook of Statistics: Elsevier, 2016: 117-167.
[7]	The MITRE Corporation. MITRE ATT&CK Matrix for Enterprise[EB/OL]. https://attack.mitre.org/, 2020-10-27/2021-03-07.
[8]	The MITRE Corporation. Common Attack Pattern Enume-ration and Classification (CAPEC)[EB/OL]. https://capec.mitre.org/, 2021-02-25/2021-03-07.
[9]	The MITRE Corporation. Common Weakness Enume-ration (CWE)[EB/OL]. https://cwe.mitre.org/, 2021-01-18/ 2021-03-07.
[10]	Grant T. Unifying planning and control using an OODA-based architecture[C]. Proceedings of Annual Conference of the South African Institute of Computer Scientists and Information Technologists, 2005: 111-122.
[11]	Zhang Z, Ho P H, He L. Measuring IDS-estimated attack impacts for rational incident response: A decision theoretic approach[J]. Computers & Security, 2009, 28(7):605-614. doi: 10.1016/j.cose.2009.03.005
[12]	Jajodia S, Noel S, Kalapa P, et al. Cauldron mission-centric cyber situational awareness with defense in depth[C]. 2 011 - MILCOM 2011 Military Communications Conference, 2011: 1339-1344.
[13]	Lee S, Kim S, Lee S, et al. LARGen: Automatic Signature Generation for Malwares Using Latent Dirichlet Allocation[J]. IEEE Transactions on Dependable & Secure Comput-ing, 2018, 15(5):771-783.
[14]	郭莉, 曹亚男, 苏马婧, 等. 网络空间资源测绘:概念与技术[J]. 信息安全学报, 2018, 003(004):1-14.
[15]	Wang W, Sheng Y, Wang J, et al. HAST-IDS: Learning Hierarchical Spatial-Temporal Features Using Deep Neural Networks to Improve Intrusion Detection[J]. IEEE Access, 2018, 6(99):1792-1806. doi: 10.1109/ACCESS.2017.2780250
[16]	Liu F, Wen Y, Zhang D, et al. Log2vec: A Heterogeneous Graph Embedding Based Approach for Detecting Cyber Threats within Enterprise[C]. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019: 1777-1794.
[17]	Pei K, Gu Z, Saltaformaggio B, et al. HERCULE: attack story reconstruction via community discovery on correlated log graph[C]. Proceedings of the 32nd Annual Conference on Computer Security Applications, 2016: 583-595.
[18]	Milajerdi S, Gjomemo R, Eshete B, et al. HOLMES: Real-Time APT Detection through Correlation of Suspi-cious Information Flows[M]. 2019: 1137-1152.
[19]	Hossain M N, Sheikhi S, Sekar R. Combating Depen-dence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics[C]. 2020 IEEE Symposium on Security and Privacy (SP), 2020: 1139-1155.
[20]	Pitropakis N, Panaousis E, Giannakoulias A, et al. An Enhanced Cyber Attack Attribution Framework[C]. Trust, Privacy and Security in Digital Business, 2018: 213-228.
[21]	Aminanto M E, Zhu L, Ban T, et al. Combating Threat-Alert Fatigue with Online Anomaly Detection Using Isolation Forest[C]. Neural Information Processing, 2019: 756-765.
[22]	Friedberg I, Skopik F, Fiedler R. Cyber situational awareness through network anomaly detection: state of the art and new approaches[J]. e & i Elektrotechnik und Informationstechnik, 2015, 132(2):101-105.
[23]	Ghanem M C, Chen T M. Reinforcement Learning for Intelligent Penetration Testing[C]. 2018 Second World Conference on Smart Trends in Systems, Security and Sustainability (WorldS4), 2018: 185-192.
[24]	Nespoli P, Papamartzivanos D, Mármol F G, et al. Opti-mal Countermeasures Selection Against Cyber Attacks: A Comprehensive Survey on Reaction Frameworks[J]. IEEE Communications Surveys & Tutorials, 2018, 20(2):1361-1396.
[25]	Roy A, Kim D S, Trivedi K S. Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees[J]. Security and Communication Networks, 2012, 5(8):929-943. doi: 10.1002/sec.299

产品	关键技术概述
IBM QRadar	融合终端、网络、情报等多维数据,结合Watson人工智能手段进行事件分诊、调查。
Exabeam UEBA	基于异常检测与用户画像,实现行为分析技术,有效识别内外部实体及用户行为基线偏移。
Microsoft Azure Sentinel	基于图数据与图分析方法,感知资产、身份、行为等多维度风险,并给出可供调查的上下文。
DarkTrace Immune System	基于无监督和自学习方法,自适应的对正常模式进行持续建模,能够有效识别未知攻击模式。
Palo Alto Networks Cortex XDR	基于多源数据的,利用有监督模型与无监督模型进行行为建模,支持攻击识别与检测。