DomainPrio: Prioritizing Domain Name Investigations to Improve SOC Efficiency

Daiki Chiba*, Mitsuaki Akiyama, Yuto Otsuki, Hiroki Hada, Takeshi Yagi, Tobias Fiebig, Michel Van Eeten

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

42 Downloads (Pure)

Abstract

Security Operations Centers (SOCs) are in need of automation for triaging alerts. Current approaches focus on analyzing and enriching individual alerts. We take a different approach and analyze the population of alerts. In an observational study over 24 weeks, we find a surprising pattern: some domains get analyzed again and again by different analysts, without coming to a final evaluation. Overall, 19% of the domains trigger 74% of all investigations. The most time-consuming domains are classified as false positives and 'potentially unwanted programs' - the lowest threat level. To increase SOC efficiency, we design DomainPrio, a tool that prioritizes domains that are likely to be the subject of repeated, incomplete investigations. This enables us to indicate to the first analyst encountering this domain that the investigation should be, if possible, completed on this first attempt, so future investigations on the same domain can be prevented. DomainPrio is able to predict these domains with 89% accuracy and does so with an interpretable and auditable logistic regression model. When evaluating our tool on 100 days of data from a production setting, we find that it can potentially reduce the number of alert investigations by up to 35%, presenting the SOC with very substantial efficiency gains.
Original languageEnglish
Pages (from-to)34352-34368
Number of pages17
JournalIEEE Access
Volume10
DOIs
Publication statusPublished - 2022

Keywords

  • Network security
  • security operations
  • security operations centers
  • SOC
  • threat analysis

Fingerprint

Dive into the research topics of 'DomainPrio: Prioritizing Domain Name Investigations to Improve SOC Efficiency'. Together they form a unique fingerprint.

Cite this