A Graph-Based Approach to Alert Contextualisation in Security Operations Centres
This addresses the problem of alert overload for security analysts, though it appears incremental as it builds on existing graph and machine learning methods.
The paper tackles the challenge of interpreting massive security alert volumes in Security Operations Centres by proposing a graph-based approach that aggregates alerts into groups, enabling higher-level analysis and more effective capture of attack steps, and demonstrates its utility by using Graph Matching Networks to correlate alert groups with historical incidents.
Interpreting the massive volume of security alerts is a significant challenge in Security Operations Centres (SOCs). Effective contextualisation is important, enabling quick distinction between genuine threats and benign activity to prioritise what needs further analysis. This paper proposes a graph-based approach to enhance alert contextualisation in a SOC by aggregating alerts into graph-based alert groups, where nodes represent alerts and edges denote relationships within defined time-windows. By grouping related alerts, we enable analysis at a higher abstraction level, capturing attack steps more effectively than individual alerts. Furthermore, to show that our format is well suited for downstream machine learning methods, we employ Graph Matching Networks (GMNs) to correlate incoming alert groups with historical incidents, providing analysts with additional insights.