Method of finding the minimum number of sources of indicators of compromise to cover the maximum set

Sammanfattning: Background. With the increasing demand for cybersecurity, there is a growing interest in understanding cyber-attack surfaces and vectors. Security Operation Centers (SOCs) play a crucial role in defensive cybersecurity, and Security Informationand Event Management (SIEM) systems are used to monitor and analyze the security status of computer systems. However, SIEM systems face challenges such asdata overload and the need for effective data selection.Objectives. This research aims to develop a method for reducing the number ofsets of Indicators of Compromise (IOCs) processed by SIEM systems while maintaining maximum coverage. The objectives include conducting a literature review onIOCs processing and data reduction, preparing data from the Open Threat Exchange(OTX) platform, developing a method for minimizing IOCs sets, and evaluating theeffectiveness of the proposed solution.Methods. The evaluation of the methods is performed numerically using a FuzzyTable. The research also involves developing a mathematical model that describesthe relationships between different types of IOCs and the possibility of various representations for the same object. The model takes into account weight assignmentto each indicator. Software implementation is carried out. The effectiveness of thedeveloped method is evaluated using metrics such as the coverage of the initial setof IOCs and the data reduction rateResults. Unfortunately, none of the methods fully met all the criteria. Fuzzy logicwas selected as the decision-making approach. A mathematical data model was developed to represent IOCs and associated pulses as sets. Dependencies were described tofilter out duplicate indicators. Implementation was done using the Python programming language. Three algorithms were implemented: Set cover problem, Weightedcoverage maximization, and Budget cover problem. Tests were conducted on theentire data set and subsets to analyze performance. The number of IOCs decreasedfrom 4115 to 3341, representing a reduction of 25.5% to 93% according to the Totaldata reduction metric. Conclusions. Overall, the developed method reduced information and minimizedindicator sources, offering a valuable approach for reducing data in IOC processing.