Sonification for network-security monitoring

<p>In the face of increasingly frequent, sophisticated and varied cyber-attacks, organisations must continuously adapt and improve their network defences. In many organisations, maintaining network security is the role of the security operations centre (SOC), in which security practitioners work, aided by security-monitoring tools, to detect and mitigate cyber-attacks. There is a need for effective tools to help security practitioners to engage with and understand the data communicated over the network, and the outputs of automated attack-detection methods. Over the last few years, a number of novel approaches have been examined, with the aim of aiding in various aspects of the network-security monitoring work of security practitioners. This thesis explores one of these approaches in particular: sonification.</p> <p>Sonification is the representation of data as sound; more specifically, it is widely accepted to be <em>“the use of non-speech audio to convey information”</em>. Sonification has been shown to have advantages for presenting data to humans in other fields, such as medicine and astronomy, for monitoring data and for anomaly detection. In theory, some of the known properties of sonification make it a promising data-presentation approach for SOCs. It has been shown that sound can be comprehended peripherally, enabling monitoring as a non-primary task, which may aid busy security practitioners, for example. Prior literature indicates the potential of network-traffic sonification systems for signalling network-security information, but does not evaluate its utility or explore its application in SOCs. The aim of this research is to explore the utility of sonification systems to the security-monitoring tasks carried out in SOCs.</p> <p>In order to address this aim, we proposed a model to underpin approaches to sonification design for network-security data. We tested the ability of humans to detect network attacks and understand network-security events by listening to a sonification prototype, and found that the approach was effective in an experimental setting, indicating the viability of sonification as an approach to conveying network-security information. In order to understand the design requirements and potential contexts of use for sonification in SOCs, we surveyed and interviewed security practitioners working in SOCs. Finally, we explored the utility of sonification, by studying the use of a sonification system by security practitioners in a set of SOC tasks, in an experimental setting.</p> <p>We found that using sonification systems could complement existing monitoring practice in SOCs (particularly in contexts in which it is advantageous to be able to monitor network security peripherally), subject to a range of challenges related to the integration of such systems into the SOC environment. While our findings indicate that sonification may be a useful technology for security practitioners, it is important to recognise that our results were obtained in experimental settings. To validate these findings, future longitudinal studies in which sonification systems are deployed in operational SOCs will be key to understanding their true utility and the severity of the challenges posed to integration.</p>