To enhance the efficiency of incident response triage operations, it is not cost-effective to defend all systems equally in a complex cyber environment. Instead, prioritizing the defense of critical functionality and the most vulnerable systems is desirable. Threat intelligence is crucial for guiding Security Operations Center (SOC) analysts' focus toward specific system activity and provides the primary contextual foundation for interpreting security alerts. This paper explores novel approaches for improving incident response triage operations, including dealing with attacks and zero-day malware. This solution for rapid prioritization of different malware have been raised to formulate fast response plans to minimize socioeconomic damage from the massive growth of malware attacks in recent years, it can also be extended to other incident response. We propose a malware triage approach that can rapidly classify and prioritize different malware classes to address this concern. We utilize a pre-trained ResNet18 network based on Siamese Neural Network (SNN) to reduce the biases in weights and parameters. Furthermore, our approach incorporates external task memory to retain the task information of previously encountered examples. This helps to transfer experience to new samples and reduces computational costs, without requiring backpropagation on external memory. Evaluation results indicate that the classification aspect of our proposed method surpasses other similar classification techniques in terms of performance. This new triage strategy based on task memory with meta-learning evaluates the level of similarity matching across malware classes to identify any risky and unknown malware (e.g., zero-day attacks) so that a defense of those that support critical functionality can be conducted.

翻译：为了提升事件响应分类操作效率，在复杂的网络环境中对所有系统实施同等防御并不经济有效。相反，优先保护关键功能模块和最脆弱系统更具可行性。威胁情报对于引导安全运营中心分析师聚焦特定系统活动至关重要，同时为解读安全警报提供核心背景依据。本文探索了改进事件响应分类操作的新方法，包括应对攻击和零日恶意软件。针对近年来恶意软件攻击激增的现状，我们提出了快速优先级排序解决方案以制定快速响应策略，从而最大程度降低社会经济损失，该方法还可推广至其他事件响应场景。我们提出了一种恶意软件分流方法，可快速分类并排序不同恶意软件类别。该方法采用基于孪生神经网络的预训练ResNet18网络，以降低权重和参数偏差。此外，我们的方法引入外部任务记忆机制来存储先前样本的任务信息，这有助于将经验迁移至新样本，并在无需外部存储器反向传播的情况下降低计算成本。评估结果表明，我们提出的分类方法在性能上优于其他同类分类技术。这种基于任务记忆与元学习的新型分流策略通过跨恶意软件类别的相似度匹配评估，能够识别高风险和未知恶意软件（如零日攻击），从而支持对关键功能模块实施优先防御。