TY - JOUR
T1 - DomainPrio
T2 - Prioritizing Domain Name Investigations to Improve SOC Efficiency
AU - Chiba, Daiki
AU - Akiyama, Mitsuaki
AU - Otsuki, Yuto
AU - Hada, Hiroki
AU - Yagi, Takeshi
AU - Fiebig, Tobias
AU - Van Eeten, Michel
PY - 2022
Y1 - 2022
N2 - Security Operations Centers (SOCs) are in need of automation for triaging alerts. Current approaches focus on analyzing and enriching individual alerts. We take a different approach and analyze the population of alerts. In an observational study over 24 weeks, we find a surprising pattern: some domains get analyzed again and again by different analysts, without coming to a final evaluation. Overall, 19% of the domains trigger 74% of all investigations. The most time-consuming domains are classified as false positives and 'potentially unwanted programs' - the lowest threat level. To increase SOC efficiency, we design DomainPrio, a tool that prioritizes domains that are likely to be the subject of repeated, incomplete investigations. This enables us to indicate to the first analyst encountering this domain that the investigation should be, if possible, completed on this first attempt, so future investigations on the same domain can be prevented. DomainPrio is able to predict these domains with 89% accuracy and does so with an interpretable and auditable logistic regression model. When evaluating our tool on 100 days of data from a production setting, we find that it can potentially reduce the number of alert investigations by up to 35%, presenting the SOC with very substantial efficiency gains.
AB - Security Operations Centers (SOCs) are in need of automation for triaging alerts. Current approaches focus on analyzing and enriching individual alerts. We take a different approach and analyze the population of alerts. In an observational study over 24 weeks, we find a surprising pattern: some domains get analyzed again and again by different analysts, without coming to a final evaluation. Overall, 19% of the domains trigger 74% of all investigations. The most time-consuming domains are classified as false positives and 'potentially unwanted programs' - the lowest threat level. To increase SOC efficiency, we design DomainPrio, a tool that prioritizes domains that are likely to be the subject of repeated, incomplete investigations. This enables us to indicate to the first analyst encountering this domain that the investigation should be, if possible, completed on this first attempt, so future investigations on the same domain can be prevented. DomainPrio is able to predict these domains with 89% accuracy and does so with an interpretable and auditable logistic regression model. When evaluating our tool on 100 days of data from a production setting, we find that it can potentially reduce the number of alert investigations by up to 35%, presenting the SOC with very substantial efficiency gains.
KW - Network security
KW - security operations
KW - security operations centers
KW - SOC
KW - threat analysis
UR - http://www.scopus.com/inward/record.url?scp=85127071158&partnerID=8YFLogxK
U2 - 10.1109/ACCESS.2022.3161636
DO - 10.1109/ACCESS.2022.3161636
M3 - Article
AN - SCOPUS:85127071158
VL - 10
SP - 34352
EP - 34368
JO - IEEE Access
JF - IEEE Access
SN - 2169-3536
ER -