Seth Hasings (University of Tulsa)

Security Operations Centers (SOCs) receive thousands of security alerts each day, and analysts are responsible for evaluating each alert and initiating corrective action when necessary. Many of these alerts require consulting user authentication logs, which are notoriously messy and designed for machine use rather than human interpretability. We apply a novel methodology for processing raw logs into interpretable user authentication events in a university SOC dashboard tool. We review steps for data processing and describe views designed for analysts. To illustrate its value, we utilized the dashboard on a 90-day sample of alert logs from a university SOC. We present two representative alerts from the sample as case studies to motivate and demonstrate the generalized workflows. We show that enhanced data from the dashboard could be utilized to completely investigate over 84% of alerts in the sample without additional context or tools, and a further 13% could be partially investigated.

View More Papers

Diffence: Fencing Membership Privacy With Diffusion Models

Yuefeng Peng (University of Massachusetts Amherst), Ali Naseh (University of Massachusetts Amherst), Amir Houmansadr (University of Massachusetts Amherst)

Read More

Oreo: Protecting ASLR Against Microarchitectural Attacks

Shixin Song (Massachusetts Institute of Technology), Joseph Zhang (Massachusetts Institute of Technology), Mengjia Yan (Massachusetts Institute of Technology)

Read More

Vision: Retiring Scenarios — Enabling Ecologically Valid Measurement in...

Oliver D. Reithmaier (Leibniz University Hannover), Thorsten Thiel (Atmina Solutions), Anne Vonderheide (Leibniz University Hannover), Markus Dürmuth (Leibniz University Hannover)

Read More