A Framework for Event Prioritization in Cyber Network Defense

Abstract : Cyber warriors need to make quick, effective decisions regarding cyber events: namely, which events should be addressed first (i.e., event triage/prioritization) and what should be done with them (i.e., event response). Events should be triaged based on the potential damage they have to important assets and the overall mission. This enables cyber warriors to better protect critical missions by focusing on high priority events. Existing tools used in current practice do not provide such effective event prioritization. Effective event prioritization should include factors such as the importance of the host, the vulnerabilities of the host, network connectivity, as well as details of the event itself. We developed a framework to prioritize events based on the potential damage that each event can incur to important hosts and missions. The framework gathers, fuses, and integrates relevant information from other security tools and databases for automated event prioritization. We implemented our framework as a flexible, extensible, customizable, and user-friendly tool called ACCEPT.