Cyber security operators use Security Information and Event Management systems to process and summarize the huge amount of heterogeneous logs and alerts. However, these systems do not give to the operator a concise view of the attack status or context, a mandatory feature to understand and remediate properly a threat. Moreover, the number of alerts to analyze for a single information system is high, and thus requires to be split into several levels of responsibility distributed among several operators. This layered security monitoring implies a decision problem as well as an automation problem tackled in this paper with the support of an attack graph-based feature. An attack graph is a risk assessment model that accurately describes, in a concise way, the threats on an information system. In this article, we describe how an attack graph can be used for pattern searching and fusion algorithms, in order to add context to the alerts. We also present recommendations for designing future interactive application based on adjustable fusion and a risk assessment model, for cyber security monitoring.
展开▼
