@phdthesis{, author = {Renners, Leonard}, title = {Adaptive Prioritization of Network Security Incidents}, editor = {}, booktitle = {}, series = {}, journal = {}, address = {}, publisher = {}, edition = {}, year = {2020}, isbn = {}, volume = {}, number = {}, pages = {}, url = {}, doi = {}, keywords = {incident prioritization; network security; cyber security; machine learning}, abstract = {With the ever rising amount of security and alert information in IT, incident prioritization becomes increasingly important, and is therefore nowadays part of many approaches and tools for network security. A key challenge is, however, a correct prioritization of the events. Currently, the calculation of priorities is rather static, and needs to be defined manually. Incorrect prioritization cannot be reliably or permanently avoided and leads to threatening situations and an increased effort in incident response. Furthermore, the identification of errors in the prioritization rules themselves is another challenge since there is rarely a continuous approach to monitor the prioritization process. In addition, providing corrections as well as defining new, improved rules to address the detected inaccuracies also lacks automated support and again requires manual effort. To address these problems, this thesis proposes a concept for an adaptive prioritization of network security incidents. Our contributions are novel approaches for the prioritization with a focus on a higher degree of automation. We introduce a customizable incident model and a rule-based approach to specify incident prioritization. Furthermore, a process to gather quantitative feedback from the analyst is proposed in combination with a concept for the assessment of the prioritization rules to monitor quality and to regularly identify deficiencies. These concepts are extended and complemented by machine learning techniques for an increased automation regarding the initial creation of prioritization rules, and more importantly the adaptation of an existing set of rules. Understandability of the prioritization model, its instances and of the automation is hereby viewed as a crucial requirement to establish trust in the system for security experts and allow for a manual interaction within the different tasks if necessary. As a result our approach offers the possibility to realize a continuous improvement of the prioritization which helps to address current challenges in incident prioritization in an effective and efficient way. We provide proof of the feasibility of the conceptual work with a first implementation of selected algorithms for every component of the proposed approach. On that basis an assessment of the proposed concepts demonstrates that the model can be used to recreate established prioritization practices. The evaluation further shows promising results for the automated learning and adaptation of the prioritization system, although also highlighting the challenges to balance understandability and prioritization accuracy.}, note = {}, school = {Universität der Bundeswehr München}, }