AutoCRAT: Automatic Cumulative Reconstruction of Alert Trees Eric Ficke 1[0000−0002−3762−6475] , Raymond M. Bateman 2[0000−0002−2949−5145] , and Shouhuai Xu 3[0000−0001−8034−0942] 1 The University of Texas at San Antonio, San Antonio, TX, USA 2 U.S. Army Research Laboratory South - Cyber, San Antonio, TX, USA 3 University of Colorado Colorado Springs, Colorado Springs, CO, USA Abstract. When a network is attacked, cyber defenders need to pre- cisely identify which systems (i.e., computers or devices) were compro- mised and what damage may have been inflicted. This process is some- times referred to as cyber triage and is an important part of the incident response procedure. Cyber triage is challenging because the impacts of a network breach can be far-reaching with unpredictable consequences. This highlights the importance of automating this process. In this pa- per we propose AutoCRAT, a system for quantifying the breadth and severity of threats posed by a network exposure, and for prioritizing cy- ber triage activities during incident response. Specifically, AutoCRAT automatically reconstructs what we call alert trees, which track network security events emanating from, or leading to, a particular computer on the network. We validate the usefulness of AutoCRAT using a real-world dataset. Experimental results show that our prototype system can recon- struct alert trees efficiently and can facilitate data visualization in both incident response and threat intelligence analysis. Keywords: Cyber Triage · Alert Tree · Alert Path · Threat Score · Alert Pri- oritization · Incident Response · Intrusion Detection · Cyber Attack 1 Introduction In cyber incident response, the defender needs to precisely identify what hap- pened to the network in question, including: how did the attacker propagate through the network, what was the attacker’s intent, and where and how much damage did the attacker inflict? Since attackers may target a large portion of a network, the defender must quickly and effectively determine the scope of their impact. Specifically, the defender must isolate the routes that the attacker may have used to enter and propagate through the network. These are referred to as alert paths, and may be aggregated into so-called alert trees. Isolating alert paths turns out to be a difficult task for two reasons. First, for any amount of incoming alerts, the number of paths that need to be ex- amined grows quadratically. This is the problem of efficiency. Second, without