Skip to main content
Annual Computer Security Applications Conference (ACSAC) 2017

Full Program »

Predicting Cyber Threats with Virtual Security Products

Cybersecurity analysts are often presented suspicious machine activity that does not conclusively indicate compromise, resulting in undetected incidents or in costly investigations into the most appropriate remediation actions. There are many reasons for this: deficiencies in the number and quality of security products that are deployed, poor configuration of those security products, and incomplete reporting of product-security telemetry. Managed Security Service Providers (MSSP's), which are tasked with detecting security incidents on behalf of multiple customers, are confronted with these data quality issues, but also possess a wealth of cross-product security data that enables innovative solutions. We use MSSP data to develop Virtual Product, which addresses the aforementioned data challenges by predicting what security events would have been triggered by a security product if it had been present. This benefits the analysts by providing more context into existing security incidents (albeit probabilistic) and by making questionable security incidents more conclusive. We achieve up to 99% AUC in predicting the incidents that some products would have detected had they been present.

Shang-Tse Chen
Georgia Tech
United States

Yufei Han
Symantec Research Labs
France

Duen Horng Chau
Georgia Tech
United States

Christopher Gates
Symantec Research Labs
United States

Michael Hart
Symantec Research Labs
France

Kevin Roundy
Symantec Research Labs
United States

 

Powered by OpenConf®
Copyright ©2002-2017 Zakon Group LLC