skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Toward a Visualization-Supported Workflow for Cyber Alert Management using Threat Models and Human-Centered Design

Abstract

Cyber network analysts follow complex processes in their investigations of potential threats to their network. Much research is dedicated to providing automated tool support in the effort to make their tasks more efficient, accurate, and timely. This tool support comes in a variety of implementations from machine learning algorithms that monitor streams of data to visual analytic environments for exploring rich and noisy data sets. Cyber analysts, however, often speak of a need for tools which help them merge the data they already have and help them establish appropriate baselines against which to compare potential anomalies. Furthermore, existing threat models that cyber analysts regularly use to structure their investigation are not often leveraged in support tools. We report on our work with cyber analysts to understand they analytic process and how one such model, the MITRE ATT&CK Matrix [32], is used to structure their analytic thinking. We present our efforts to map specific data needed by analysts into the threat model to inform our eventual visualization designs. We examine data mapping for gaps where the threat model is under-supported by either data or tools. We discuss these gaps as potential design spaces for future research efforts. We also discuss themore » design of a prototype tool that combines machine-learning and visualization components to support cyber analysts working with this threat model.« less

Authors:
; ; ; ;
Publication Date:
Research Org.:
Pacific Northwest National Lab. (PNNL), Richland, WA (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1415703
Report Number(s):
PNNL-SA-127976
DOE Contract Number:  
AC05-76RL01830
Resource Type:
Conference
Resource Relation:
Conference: IEEE Symposium on Visualization for Cyber Security (VizSec 2017), October 2, 2017, Phoenix, Arizona
Country of Publication:
United States
Language:
English
Subject:
Cyber Security; Human Centered Design; Visual Analytics

Citation Formats

Franklin, Lyndsey, Pirrung, Megan A., Blaha, Leslie M., Dowling, Michelle V., and Feng, Mi. Toward a Visualization-Supported Workflow for Cyber Alert Management using Threat Models and Human-Centered Design. United States: N. p., 2017. Web. doi:10.1109/VIZSEC.2017.8062200.
Franklin, Lyndsey, Pirrung, Megan A., Blaha, Leslie M., Dowling, Michelle V., & Feng, Mi. Toward a Visualization-Supported Workflow for Cyber Alert Management using Threat Models and Human-Centered Design. United States. doi:10.1109/VIZSEC.2017.8062200.
Franklin, Lyndsey, Pirrung, Megan A., Blaha, Leslie M., Dowling, Michelle V., and Feng, Mi. Mon . "Toward a Visualization-Supported Workflow for Cyber Alert Management using Threat Models and Human-Centered Design". United States. doi:10.1109/VIZSEC.2017.8062200.
@article{osti_1415703,
title = {Toward a Visualization-Supported Workflow for Cyber Alert Management using Threat Models and Human-Centered Design},
author = {Franklin, Lyndsey and Pirrung, Megan A. and Blaha, Leslie M. and Dowling, Michelle V. and Feng, Mi},
abstractNote = {Cyber network analysts follow complex processes in their investigations of potential threats to their network. Much research is dedicated to providing automated tool support in the effort to make their tasks more efficient, accurate, and timely. This tool support comes in a variety of implementations from machine learning algorithms that monitor streams of data to visual analytic environments for exploring rich and noisy data sets. Cyber analysts, however, often speak of a need for tools which help them merge the data they already have and help them establish appropriate baselines against which to compare potential anomalies. Furthermore, existing threat models that cyber analysts regularly use to structure their investigation are not often leveraged in support tools. We report on our work with cyber analysts to understand they analytic process and how one such model, the MITRE ATT&CK Matrix [32], is used to structure their analytic thinking. We present our efforts to map specific data needed by analysts into the threat model to inform our eventual visualization designs. We examine data mapping for gaps where the threat model is under-supported by either data or tools. We discuss these gaps as potential design spaces for future research efforts. We also discuss the design of a prototype tool that combines machine-learning and visualization components to support cyber analysts working with this threat model.},
doi = {10.1109/VIZSEC.2017.8062200},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Mon Oct 09 00:00:00 EDT 2017},
month = {Mon Oct 09 00:00:00 EDT 2017}
}

Conference:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share: