Litcius/Paper detail

Alert Prioritisation in Security Operations Centres: A Systematic Survey on Criteria and Methods

Fatemeh Jalalvand, Mohan Baruwal Chhetri, ‪Surya Nepal‬, Cécile Paris

2024ACM Computing Surveys25 citationsDOIOpen Access PDF

Abstract

Security Operations Centres (SOCs) are specialised facilities where security analysts leverage advanced technologies to monitor, detect and respond to cyber incidents. However, the increasing volume of security incidents has overwhelmed security analysts, leading to alert fatigue. Effective alert prioritisation (AP) becomes crucial to address this problem through the utilisation of proper criteria and methods. Human–AI teaming (HAT) has the potential to significantly enhance AP by combining the complementary strengths of humans and AI. AI excels in processing large volumes of alert data, identifying anomalies, uncovering hidden patterns, and prioritising alerts at scale, all at machine speed. Human analysts can leverage their expertise to investigate prioritised alerts, re-prioritise them based on additional context and provide valuable feedback to the AI system, reducing false positives and ensuring critical alerts are prioritised. This work provides a comprehensive review of the criteria and methods for AP in SOC. We analyse the advantages and disadvantages of the different categories of AP criteria and methods based on HAT, specifically considering automation, augmentation and collaboration. We also identify several areas for future research. We anticipate that our findings will contribute to the advancement of AP techniques, fostering more effective security incident response in SOCs.

Topics & Concepts

Computer scienceComputer securityData scienceInformation and Cyber SecuritySoftware System Performance and ReliabilitySmart Grid Security and Resilience