Exploration recommendations for the investigation of security incidents (Romain Brisse PhD Defense)

In recent years, cybersecurity analysts have encountered growing challenges in their field. Not only are the data they investigate heterogeneous, multidimensional or simply incomplete, but also the number of attacks and attackers is increasing, leading to a shortage of experts in the domain. While numerous tools aim to alleviate their workload, particularly during incident response, they fall short. Romain Brisse's thesis work focuses on developing methods to facilitate the investigative phase of incident response, specifically leveraging recommendation systems that propose exploration paths in event logs. The thesis contributions include two recommendation systems. The first, KRAKEN, relies on expert knowledge from the cyber community to recognize attacks in data and recommend the most relevant fields to explore in order to identify them. The second contribution aligns with the first, as it addresses the challenge of recommendation systems understanding an analyst's intent. The second system, MIMIR, is based on modelling these intentions during an investigation to suggest the subsequent investigation steps. Finally, addressing evaluation challenges and the lack of cyber data in the field, a final contribution takes the form of an exercise (CERBERE) during which data for the evaluation and improvement of recommendation systems are generated and investigated by participants.