Brief description:
Artificial intelligence is touching on different aspects of information security. One of them is detection. Detection usually goes under the administration of a SOC, and a SOC analyst. I want to see if I can define a good alarm, perhaps looking at the different stages in the cyber security kill chain, and then use this definition to form a set of demands a machine learning algorithm have to fill, in order to give a high valued alarm to a SOC analyst.
Further research could include demands for escalation of a threat.
This can also be seen from the point of view of the pyramid of pain. In order to understand the higher levels, what kind of demands/information do we need from an alarm?
Scope:
-
Defining a good alarm from a SOC point of view.
-
Evaluate how a good alarm can be translated to a set of demands, perhaps only scoping into one or more of the stages in the cyber security kill chan.
-
If possible: Evaluate how well machine learning algorithms can fulfill these demands
-
If possible: Define demands for further threat escalation, classically involving level 2 support, and the middle-leaders of an organization