The number of actions at a user’s disposal in the digital arena is on the rise; the number of technologies available to track users’ activities in an organisation are on the rise; the volume of information logged using such technologies are on the increase. And yet, the number of security incidents recorded per unit time is also on the rise. While there is greater awareness in the community and a plethora of passionate analysts to triage and analyse incidents, there seems to develop an ever-widening gap between the number of such analysts to the growth of incident volumes, particularly so in the last decade. In fact, operational response remains largely in the realms of manual remediation. If one were to take an objective view of the sequence of actions that transpire between when a detection is observed to the time that it is remediated, there is a broad spectrum between completely objective tasks (that can be automated) to purely subjective evaluation tasks (largely manual). This can be regarded as the automation scale. During a response scenario, it is conceivable that an analyst would conduct a series of tasks, some of which are common across all incidents, some of it constrained to the technology pertaining to the alert that instigated the response, and the rest involving manual evaluation and context establishment. If one were to magnify that period of observation for a granular view of the tasks conducted over that time, we hypothesise that one can generate a calibration scale to uniquely identify tasks that warrant automation. In this work, we develop a cognitive model called SAI reinforced with a machine learning framework to organically escalate tasks into the operational automation. While the cognitive model discerns tasks from the sample space of {objective, technology-dependent, subjective}, the organic escalation is achieved through a reward-penalty model from amongst the possible response spectrum evaluated in a finite n-tuple context. Finding: In the absence of external business factors, if the number of parameters influencing an alert is limited to C and the total number of alerts in a given period is limited to K, then it is sufficient if, for any task involved in that alert remediation, the task receives at least 10.C.K endorsements during the same period, in order to escalate it into automation. We demonstrate how the framework can seamlessly accommodate false positives that are opportunistic to any operational environment while providing savings in expenditure by transforming as a measuring scale for alarms in an organisation.

中文翻译：

---

SDN安全性：开发有机升级框架以针对安全事件进行操作自动化

在数字竞技场中可供用户使用的动作数量正在增加；可用于跟踪组织中用户活动的技术的数量正在增加；使用此类技术记录的信息量正在增加。但是，每单位时间记录的安全事件的数量也在上升。尽管社区中的意识得到提高，并且有大量热情的分析人员对事件进行分类和分析，但似乎此类分析人员的数量与事件数量的增长之间的差距正在不断扩大，尤其是在过去十年中。实际上，操作响应很大程度上仍处于手动修复的领域。如果要客观地观察观察到发现之间的时间序列之间的差异，那么从完全客观的任务（可以自动执行）到纯粹的主观评估任务（基本上是手动的）。这可以看作是自动化规模。在响应方案中，可以想象分析员将执行一系列任务，其中一些任务在所有事件中都是常见的，其中一些约束于与促使响应的警报有关的技术，而其余则涉及手动评估和上下文建立。如果要放大该观察周期以细化该时间段内执行的任务，我们假设人们可以生成一个校准标度，以唯一地标识需要自动化的任务。在这项工作中，我们开发了一种称为SAI的认知模型，并通过机器学习框架进行了增强，以有机地提升任务转化为操作自动化。虽然认知模型从{客观，技术依赖，主观}的样本空间中识别任务，但通过奖励惩罚模型从有限n元组上下文中评估的可能响应范围中实现有机升级。发现：在没有外部业务因素的情况下，如果影响警报的参数数量限制为C，并且给定时间段内警报的总数限制为K，则对于该警报中涉及的任何任务就足够了修复，该任务在同一时期内至少获得10.CK认可，以便将其升级为自动化。