Applying Process Discovery to Cybersecurity Training: An Experience Report

MACÁK, Martin, Radek OŠLEJŠEK and Barbora BÜHNOVÁ. Applying Process Discovery to Cybersecurity Training: An Experience Report. Online. In 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). Neuveden: IEEE, 2022, p. 394-402. ISBN 978-1-6654-9560-8. Available from: https://dx.doi.org/10.1109/EuroSPW55150.2022.00047.

Basic information

• Original name: Applying Process Discovery to Cybersecurity Training: An Experience Report
• Authors: MACÁK, Martin (703 Slovakia, guarantor, belonging to the institution), Radek OŠLEJŠEK (203 Czech Republic, belonging to the institution) and Barbora BÜHNOVÁ (203 Czech Republic, belonging to the institution).
• Edition: Neuveden, 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), p. 394-402, 9 pp. 2022.
• Publisher: IEEE

Other information

• Original language: English
• Type of outcome: Proceedings paper
• Field of Study: 10201 Computer sciences, information science, bioinformatics
• Confidentiality degree: is not subject to a state or trade secret
• Publication form: electronic version available online
• WWW: Permalink to the publisher
• RIV identification code: RIV/00216224:14330/22:00125678
• Organization unit: Faculty of Informatics
• ISBN: 978-1-6654-9560-8
• Doi: http://dx.doi.org/10.1109/EuroSPW55150.2022.00047
• UT WoS: 000853211100040
• Keywords in English: cybersecurity; hands-on training; process mining; data analysis; learning analytics
• Tags: International impact, Reviewed

Abstract

Quality improvement of practical cybersecurity training is challenging due to the process-oriented nature of this learning domain. Event logs provide only a sparse preview of trainees' behavior in a form that is difficult to analyze. Process mining has great potential in converting events into behavioral graphs that could provide better cognitive features for understanding users' behavior than the raw data. However, practical usability for learning analytics is affected by many aspects. This paper aims to provide an experience report summarizing key features and obstacles in integrating process discovery into cyber ranges. We describe our lessons learned from applying process mining techniques to data captured in a cyber range, which we have been developing and operating for almost ten years. We discuss lessons learned from the whole workflow that covers data preprocessing, data mapping, and the utilization of process models for the post-training analysis of Capture the Flag games. Tactics addressing scalability are explicitly discussed because scalability has proven to be a challenging task. Interactive data mapping and Capture the Flag specific features are used to address this issue.

Links

• CZ.02.1.01/0.0/0.0/16_019/0000822, interní kód MU(CEP code: EF16_019/0000822): Name: Centrum excelence pro kyberkriminalitu, kyberbezpečnost a ochranu kritických informačních infrastruktur (Acronym: C4e)

Investor: Ministry of Education, Youth and Sports of the CR, CyberSecurity, CyberCrime and Critical Information Infrastructures Center of Excellence, Priority axis 1: Strengthening capacities for high-quality research

• EF16_019/0000822, research and development project: Name: Centrum excelence pro kyberkriminalitu, kyberbezpečnost a ochranu kritických informačních infrastruktur