research-article

AI4SOAR: A Security Intelligence Tool for Automated Incident Response

Authors:

Manh-Dung Nguyen,

Wissam Mallouli,

Ana Rosa Cavalli,

Edgardo Montes de OcaAuthors Info & Claims

ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security

Article No.: 170, Pages 1 - 8

https://doi.org/10.1145/3664476.3670450

Published: 30 July 2024 Publication History

Abstract

The cybersecurity landscape is fraught with challenges stemming from the increasing volume and complexity of security alerts. Traditional manual or semi-automated approaches to threat analysis and incident response often result in significant delays in identifying and mitigating security threats. In this paper, we address these challenges by proposing AI4SOAR, a security intelligence tool for automated incident response. AI4SOAR leverages similarity learning techniques and integrates seamlessly with the open-source SOAR platform Shuffle. We conduct a comprehensive survey of existing open-source SOAR platforms, highlighting their strengths and weaknesses. Additionally, we present a similarity-based learning approach to quickly identify suitable playbooks for incoming alerts. We implement AI4SOAR and demonstrate its application through a use case for automated incident response against SSH brute-force attacks.

References

[1]

2024. Alertflex. https://alertflex.org/

[2]

2024. Awesome Incident Response. https://github.com/meirwah/awesome-incident-response

[3]

2024. Awesome SOAR. https://github.com/correlatedsecurity/Awesome-SOAR

[4]

2024. Chronicle SOAR. https://chronicle.security/suite/soar/

[5]

2024. Cortex XSOAR. https://xsoar.pan.dev/

[6]

2024. How to be a SOAR winner: 8 successful strategies to unlocking more value from your security orchestration, automation and response (SOAR) solution. https://www.ibm.com/security/digital-assets/soar/how-to-be-a-soar-winner/

[7]

2024. Patrowl. https://www.patrowl.io/

[8]

2024. Shuffle: A general purpose security automation platform. https://github.com/Shuffle/Shuffle

[9]

2024. Shuffle APIs. https://shuffler.io/docs/API

[10]

2024. Shuffle documentation. https://shuffler.io/docs

[11]

2024. Shuffle workflows. https://github.com/Shuffle/workflows

[12]

2024. Splunk playbooks. https://research.splunk.com/playbooks/

[13]

2024. StrangeBee. https://www.strangebee.com/thehive

[14]

2024. TheHive. https://github.com/TheHive-Project/TheHive

[15]

2024. WALKOFF. https://github.com/nsacyber/WALKOFF

[16]

BakerHosteller. 2023. 2023 Data Security Incident Response Report.

[17]

Aurélien Bellet, Amaury Habrard, and Marc Sebban. 2022. Metric learning. Springer Nature.

[18]

Robert A Bridges, Ashley E Rice, Sean Oesch, Jeffrey A Nichols, Cory Watson, Kevin Spakes, Savannah Norem, Mike Huettel, Brian Jewell, Brian Weber, 2023. Testing SOAR tools in use. Computers & Security 129 (2023), 103201.

Digital Library

[19]

Martin Husák and Milan Čermák. 2022. SoK: applications and challenges of using recommender systems in cybersecurity incident handling and response. In Proceedings of the 17th International Conference on Availability, Reliability and Security. 1–10.

Digital Library

[20]

Irina Kraeva and Gulnara Yakhyaeva. 2021. Application of the metric learning for security incident playbook recommendation. In 2021 IEEE 22nd International Conference of Young Professionals in Electron Devices and Materials (EDM). IEEE, 475–479.

[21]

Ryuta Kremer, Prasanna N Wudali, Satoru Momiyama, Toshinori Araki, Jun Furukawa, Yuval Elovici, and Asaf Shabtai. 2023. IC-SECURE: Intelligent System for Assisting Security Experts in Generating Playbooks for Automated Incident Response. arXiv preprint arXiv:2311.03825 (2023).

[22]

Zarrin Tasnim Sworna, Muhammad Ali Babar, and Anjitha Sreekumar. 2023. IRP2API: Automated Mapping of Cyber Security Incident Response Plan to Security Tools’ APIs. In 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 546–557.

[23]

Zarrin Tasnim Sworna, Chadni Islam, and Muhammad Ali Babar. 2023. Apiro: A framework for automated security tools api recommendation. ACM Transactions on Software Engineering and Methodology 32, 1 (2023), 1–42.

Digital Library

Index Terms

AI4SOAR: A Security Intelligence Tool for Automated Incident Response
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

Actionable Cyber Threat Intelligence for Automated Incident Response
Secure IT Systems
Abstract
Applying Cyber Threat Intelligence for active cyber defence, while potentially very beneficial, is currently limited to predominantly manual use. In this paper, we propose an automated approach for using Cyber Threat Intelligence during incident ...
Intelligence-Driven Incident Response: Outwitting the Adversary
Cybersecurity Incident Response: How to Contain, Eradicate, and Recover from Incidents

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security

July 2024

2032 pages

ISBN:9798400717185

DOI:10.1145/3664476

Copyright © 2024 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 July 2024

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2024

ARES 2024: The 19th International Conference on Availability, Reliability and Security

July 30 - August 2, 2024

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
125
Total Downloads

Downloads (Last 12 months)125
Downloads (Last 6 weeks)37

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten