Severity-Based Triage of Cybersecurity Incidents Using Kill Chain Attack Graphs

Varování

Publikace nespadá pod Ústav výpočetní techniky, ale pod Fakultu informatiky. Oficiální stránka publikace je na webu muni.cz.

Autoři	SADLEK Lukáš YAMIN Muhammad Mudassar ČELEDA Pavel KATT Basel
Rok publikování	2025
Druh	Článek v odborném periodiku
Časopis / Zdroj	Journal of Information Security and Applications
Fakulta / Pracoviště MU	Fakulta informatiky
Citace
www	https://www.sciencedirect.com/science/article/pii/S2214212624002588
Doi	http://dx.doi.org/10.1016/j.jisa.2024.103956
Klíčová slova	kill chain; attack graph; incident severity; incident triage; MITRE ATT&CK; cyber crisis
Přiložené soubory	2025_JISA_Severity_Based_Triage_Cybersecurity_Incidents_Using_KCAGs.pdf
Popis	Security teams process a vast number of security events. Their security analysts spend considerable time triaging cybersecurity alerts. Many alerts reveal incidents that must be handled first and escalated to the more experienced staff to allow appropriate responses according to their severity. The current state requires an automated approach, considering contextual relationships among security events, especially detected attack tactics and techniques. In this paper, we propose a new graph-based approach for incident triage. First, it generates a kill chain attack graph from host and network data. Second, it creates sequences of detected alerts that could represent ongoing multi-step cyber attacks and matches them with the attack graph. Last, it assigns severity levels to the created sequences of alerts according to the most advanced kill chain phases that were used and the criticality of assets. We implemented the approach using the MulVAL attack graph generator and generation rules for MITRE ATT&CK techniques. The evaluation was accomplished in a testbed where multi-step attack scenarios were executed. Classification of sequences of alerts based on computed match scores obtained 0.95 area under the receiver operating characteristic curve in a feasible time. Moreover, a threshold exists for classifying 80% of positive sequences correctly and only a small percentage of negative sequences wrongly. Therefore, the approach selects malicious sequences of alerts and significantly improves incident triage.