Architecting threat hunting system based on the DODAF framework

Architecting threat hunting system based on the DODAF framework

The importance of large data analytic systems for cyber security is expanding. Thus, collecting systematically, thoroughly assessing, and synthesizing the literature on architectural techniques for developing such systems is critical. There is a general lack of an overview of architectural technique...

Full description

Saved in:
Bibliographic Details
Published in:The Journal of supercomputing Vol. 79; no. 4; pp. 4215 - 4242
Main Authors: Aghamohammadpour, Ali, Mahdipour, Ebrahim, Attarzadeh, Iman
Format: Journal Article
Language:English
Published: New York Springer US 01-03-2023
Springer Nature B.V
Subjects:
Architecture
Compilers
Computer Science
Cybersecurity
Hunting
Intelligence gathering
Interpreters
Processor Architectures
Programming Languages
Qualitative analysis
Quality management
Systems design
Threat evaluation
Threat modeling
System architecting
Threat intelligence
Enterprise architecture
Threat hunting
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The importance of large data analytic systems for cyber security is expanding. Thus, collecting systematically, thoroughly assessing, and synthesizing the literature on architectural techniques for developing such systems is critical. There is a general lack of an overview of architectural techniques for developing threat intelligence systems. Threat hunting is an analyst-centric process that helps organizations discover hidden advanced threats that miss by automatic preventative and investigative systems. The Department of Defense Architecture Framework (DODAF) establishes a modeling framework for capturing high-level system design and operational requirements. This paper presents different threat hunting system viewpoints using the DODAF attribute-based method. The proposed architecture enriches by state-of-the-art MITRE’s ATT&CK and D3FEND frameworks. Also, we proposed a unique approach to infer malicious threats category associations by comparing suspicious and malicious events' similarities. Using ATT&CK’s rich techniques made the similarity between malicious and suspicious files more accurate. Finally, we used a survey questionnaire approach to collect relational data to assess the impact of qualitative attributes on the development of threat hunting processes. We evaluated the proposed hunting architecture using twelve essential quality attributes indirectly. We believe that the proposed method can reduce the architectural shortcomings in threat hunting systems development.
ISSN:0920-8542
1573-0484
DOI:10.1007/s11227-022-04808-6