Investigating cyber alerts with graph-based analytics and narrative visualization

In real-world situations, several threat alerts are being investigated by the specialised staff. In order to prompt response to serve incidents or ignore false alarms, alerts are prioritised and analysed. Security professionals rely on information provided in the alert message. Insufficient information in alert messages raises challenges for security analysts that require them to keep track of all internal and external sources to identify the relevant information. In this paper, a Narrative Analytics-Assisted System (NAAS) is proposed, and a knowledge graph is used in the proposed system to present the relationships. The knowledge graph is proposed to capture the complex relationships between the alert and relevant information from the Internal and External knowledge bases to reduce the cognitive effort in information digestion and to understand a wealth of security data. To enable cooperation in the cyber risk management process, it is an inevitable necessity to generate the knowledge graph and interpret it in a human-friendly format. The current machine-friendly formats for reporting incidents from alerts are complex and of an extensive nature. These characteristics hamper the readability and contribution, therefore preventing humans from understanding and being up to date about the incident. NAAS contains four life cycles to assist an analyst to have a better perception of the elements of the environment by involving more staff in the risk management: (1) Analyses the alert, (2) designs the knowledge graph with the natural language sentences, (3) automatically implements the incident report in natural language by applying novel storytelling techniques from the knowledge graph, and (4) maintains it with the contribution of different levels of expertise. The performance of various NAAS’s cycles is demonstrated in a case study with an example scenario from the Security Operations Centre (SOC) at an educational institution, highlighting its useability.