Leveraging NLP for supporting automated security incident response

Abstract

Security Operation Center (SOC) teams use Incident Response Plans (IRP) to respond to security incidents by orchestrating diverse security tools’ activities in a Security Orchestration, Automation, and Response (SOAR) platform. Security operation center teams manually dig through the API documentation of diverse security tools to find the appropriate APIs to define, update, and execute an incident response plan, which hampers effective and efficient incident response. Little support has been available to the practitioners (security orchestration, automation, and response platform developers) and the users (security operation center teams) to orchestrate the tasks of security tools and automate incident response, thus mandating them to rely on manual API data retrieval from the document. Such manual efforts for incident response cause a significant human burden and crucially contribute to fatigue in security operation center teams. To accelerate incident response and reduce the burden on security operation center teams, there is a dire need for automated support for the security operation center teams to respond to security incidents leveraging APIs. This PhD thesis aims to support automated security incident response by recommending the required diverse security tools’ APIs and automated mapping of incident response plan to security tools’ API using Natural Language Processing (NLP) techniques for timely incident response. Specifically, this thesis made the following four contributions. • We identify the potential NLP methods to be used by performing a systematic literature review on the use of NLP methods to develop a specific security tool (i.e., host-based intrusion detection system, which is the last line of defense). • We are the first to propose a security tools’ API recommendation framework called APIRO in response to natural language queries leveraging NLP-based Deep Learning (DL) models. We prove the effectiveness of adopting a wide range of the latest text augmentation techniques for security tools’ API recommendation. • We propose an efficient and effective security tools API recommender by investigating the applicability of a wide range of traditional Machine Learning (ML) models and features in the APIRO framework compared to the deep learning models, which was inspired by Green-Artificial Intelligence (Green-AI). • Finally, we are the first to propose a framework called IRP2API to automatically map security Incident Response Plans (IRP) to the corresponding diverse security tools’ APIs to support the execution of the incident response plans. We used an unsupervised transfer learning-based method. We explored a wide range of transfer learning-based pre-trained embeddings that alleviate the requirement of expert knowledge, expensive manually labeled data, and access to the code repository. The IRP2API framework enables security operation center teams to effectively and efficiently execute incident response plan tasks, whilst significantly reducing the required human effort. Altogether this thesis provides evidence-based knowledge and helpful guidelines for the researchers and practitioners to automate security incident response leveraging security tools’ APIs using NLP methods.