Go to DBLP homepagePRIORITI: scoring and categorization-based threat prioritization
Abstract: The threat alert fatigue or alert overload problem has become critical in recent years. In practice, the volume of threat alerts is higher than the volume of alerts that SOC analysts can investigate. In this paper, we propose “Threat Inspection and Prioritization (PRIORITI),” a threat inspection mechanism that derives threat intelligence from the threat alert for prioritizing investigation. PRIORITI works in three phases, the first phase computes MITRE techniques, which act as a base layer for threat scoring and categorization. The second phase of PRIORITI maps the threat technique to CAPEC attack patterns and derives the scoring metrics. We further propose a novel threat scoring mechanism based on the derived metrics for threat score computation. The third phase of PRIORITI maps each MITRE technique to a single category from Microsoft’s STRIDE framework. Finally, threat score and category are used to prioritize the threat alerts. We evaluated PRIORITI on 7.6 million alerts from the DARPA dataset. It maps these alerts to 21 unique MITRE techniques and computes the threat scores and categories. From the aforementioned results, PRIORITI prioritizes 1.27% (i.e., 96703 out of 7.6 million) of captured alerts as critical by processing an average of 1 million alerts within \(\approx\) 20 s. In addition, PRIORITI provides additional insights to the SOC analysts to investigate the threat alerts, which improves the time taken to respond to threats after detection. Through this effort, PRIORITI improves the productivity of the SOC analysts and provides a significant contribution to handle the “threat alert fatigue.”
Loading