Agrupamento de recomendações de raciocínio baseado em casos na resposta a incidentes de segurança cibernética

Detalhes bibliográficos
Ano de defesa: 2024
Autor(a) principal: Guerra, Patrick Andrei Caron
Orientador(a): Não Informado pela instituição
Banca de defesa: Não Informado pela instituição
Tipo de documento: Dissertação
Tipo de acesso: Acesso aberto
Idioma: por
Instituição de defesa: Universidade Federal de Santa Maria
Brasil
Ciência da Computação
UFSM
Programa de Pós-Graduação em Ciência da Computação
Centro de Tecnologia
Programa de Pós-Graduação: Não Informado pela instituição
Departamento: Não Informado pela instituição
País: Não Informado pela instituição
Palavras-chave em Português:
Link de acesso: http://repositorio.ufsm.br/handle/1/32093
Resumo: Case-Based Reasoning (CBR) and Clustering are recognized for their relevance in solving various application problems. However, integrating these Artificial Intelligence (AI) techniques still presents significant research challenges related to the development of systems in the field of cybersecurity. The research problem addressed in this dissertation involves recommending and reusing response plans for cybersecurity incidents. In this context, the increasing dynamics and sophistication of cyber attacks and the exploitation of vulnerabilities establish the need for new AI approaches that assist in maintaining cyber resilience in organizations. This work investigates the construction of a reusable memory of cybersecurity incident response experiences, capturing experiences in case structures stored in a case base. Cases contain details of the incident context (problem) and plans with response actions (solution). Similarity methods are employed to query this memory, starting from a specified incident context (query), to recommend relevant cases for reuse. The main contributions of this work include: the development of a method that integrates CBR and clustering in organizing the retrieved solutions into clusters; and the modeling of a new application ontology to facilitate the acquisition and representation of incident response plans. Cross-validation experiments and with new incidents were developed to evaluate the proposed approach. The results indicate that the integration of CBR and clustering can increase the precision in selecting response plans for reuse, especially when security analysts can identify and choose the most appropriate group resulting from the clustering of recommendations presented for CBR queries. Random selection of a group of recommendations can yield precision results equivalent to the exclusive use of CBR queries. On the other hand, selecting the worst group obtained implies a decrease in precision compared to the exclusive use of recommendations presented in CBR queries. This demonstrates that refining recommendations obtained for CBR queries, based on clustering, can optimize the analysis and reuse of recommendations in incident response, although the selection of case groups obtained and carried out by the analyst can significantly impact the precision results achieved.