Method of finding the minimum number of sources of indicators of compromise to cover the maximum set
2023 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE credits
Student thesis
Abstract [en]
Background. With the increasing demand for cybersecurity, there is a growing interest in understanding cyber-attack surfaces and vectors. Security Operation Centers (SOCs) play a crucial role in defensive cybersecurity, and Security Informationand Event Management (SIEM) systems are used to monitor and analyze the security status of computer systems. However, SIEM systems face challenges such asdata overload and the need for effective data selection.Objectives. This research aims to develop a method for reducing the number ofsets of Indicators of Compromise (IOCs) processed by SIEM systems while maintaining maximum coverage. The objectives include conducting a literature review onIOCs processing and data reduction, preparing data from the Open Threat Exchange(OTX) platform, developing a method for minimizing IOCs sets, and evaluating theeffectiveness of the proposed solution.Methods. The evaluation of the methods is performed numerically using a FuzzyTable. The research also involves developing a mathematical model that describesthe relationships between different types of IOCs and the possibility of various representations for the same object. The model takes into account weight assignmentto each indicator. Software implementation is carried out. The effectiveness of thedeveloped method is evaluated using metrics such as the coverage of the initial setof IOCs and the data reduction rateResults. Unfortunately, none of the methods fully met all the criteria. Fuzzy logicwas selected as the decision-making approach. A mathematical data model was developed to represent IOCs and associated pulses as sets. Dependencies were described tofilter out duplicate indicators. Implementation was done using the Python programming language. Three algorithms were implemented: Set cover problem, Weightedcoverage maximization, and Budget cover problem. Tests were conducted on theentire data set and subsets to analyze performance. The number of IOCs decreasedfrom 4115 to 3341, representing a reduction of 25.5% to 93% according to the Totaldata reduction metric. Conclusions. Overall, the developed method reduced information and minimizedindicator sources, offering a valuable approach for reducing data in IOC processing.
Place, publisher, year, edition, pages
2023. , p. 59
Keywords [en]
Indicator of Compromise, Set Cover Problem, Maximum Coverage, Open Threat Exchange
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:bth-24947OAI: oai:DiVA.org:bth-24947DiVA, id: diva2:1773759
Subject / course
DV2572 Master´s Thesis in Computer Science
Educational program
DVACX Master of Science Programme in Computer Science
Presentation
2023-05-26, 16:15 (English)
Supervisors
Examiners
2023-06-272023-06-222023-06-27Bibliographically approved