Toward a visualization-supported workflow for cyber alert management using threat models and human-centered design

TitleToward a visualization-supported workflow for cyber alert management using threat models and human-centered design
Publication TypeConference Paper
Year of Publication2017
AuthorsFranklin, L, Pirrung, M, Blaha, L, Dowling, M, Feng, M
Conference Name2017 IEEE Symposium on Visualization for Cyber Security (VizSec)
Date Published10/2017
Conference LocationPhoenix, AZ
Keywordsanalytic process, Analytical models, automated decision support, complex processes, Computer security, cyber alert management, cyber analysts, cyber network analysts, data analysis, data stream monitoring, data visualisation, Data visualization, decision support systems, Electronic mail, H.1.2 [Information Systems]: User/Machine Systems — Human Factors, H.5.2 [Information Interfaces and presentation]: User Interfaces — User Centered Design, human-centered design, Interviews, learning (artificial intelligence), machine learning algorithms, noisy data sets, potential threats, prototype visual analytic-supported alert management workflow, rich data sets, security of data, specific data mapping, support tools, threat model, Tools, visual analytic environments, visual analytic tools, visualization designs, visualization-supported workflow
Abstract

Cyber network analysts follow complex processes in their investigations of potential threats to their network. Much research is dedicated to providing automated decision support in the effort to make their tasks more efficient, accurate, and timely. Support tools come in a variety of implementations from machine learning algorithms that monitor streams of data to visual analytic environments for exploring rich and noisy data sets. Cyber analysts, however, need tools which help them merge the data they already have and help them establish appropriate baselines against which to compare anomalies. Furthermore, existing threat models that cyber analysts regularly use to structure their investigation are not often leveraged in support tools. We report on our work with cyber analysts to understand the analytic process and how one such model, the MITRE ATT&CK Matrix [42], is used to structure their analytic thinking. We present our efforts to map specific data needed by analysts into this threat model to inform our visualization designs. We leverage this expert knowledge elicitation to identify a capability gaps that might be filled with visual analytic tools. We propose a prototype visual analytic-supported alert management workflow to aid cyber analysts working with threat models.

DOI10.1109/VIZSEC.2017.8062200