Journal: ACM Transaction of Software Engineering and Methodology
Authors: Zarrin Tasnim Sworna, Chadni Islam, and Muhammad Ali Babar.
Abstract: Security Orchestration, Automation, and Response (SOAR) platforms integrate and orchestrate a wide variety of security tools to accelerate the operational activities of Security Operation Center (SOC). Integration of security tools in a SOAR platform is mostly done manually and in adhoc manner using APIs, plugins, and scripts. SOC teams need to navigate through API calls of different security tools to find an API to define or update an incident response action. Analyzing various types of API documentation with diverse API format and presentation structure is challenging and time-consuming. We identify three key challenges: data availability, data heterogeneity, and semantic variation for automatic identification of security tool APIs specific to a task. Thus, we propose a novel learning-based framework, APIRO, for automatic recommendation of security tool API in a SOAR platform. APIRO is designed to retrieve API information from API documentations of heterogeneous security tools. To mitigate data availability constraint APIRO enriches security tool API description by applying a wide variety of data augmentation techniques. To learn data heterogeneity of the security tools and semantic variation in API descriptions, APIRO consists of an API-specific word embedding model and a Convolutional Neural Network (CNN) model that are used for prediction of top 3 relevant APIs for a task. We experimentally demonstrate the effectiveness of APIRO in recommending APIs for different tasks using 3 security tools and 36 augmentation techniques. Experimental results demonstrate the feasibility of the learning-based framework for achieving 91.9% Top-1 Accuracy for heterogeneous security tools API recommendation.