Litcius/Paper detail

Dealing with Security Alert Flooding: Using Machine Learning for Domain-independent Alert Aggregation

Max Landauer, Florian Skopik, Markus Wurzenberger, Andreas Rauber

2022ACM Transactions on Privacy and Security36 citationsDOIOpen Access PDF

Abstract

Intrusion Detection Systems (IDS) secure all kinds of IT infrastructures through automatic detection of malicious activities. Unfortunately, they are known to produce large numbers of alerts that often become overwhelming for manual analysis. Therefore, aggregation methods have been developed for filtering, grouping, and correlating alerts. However, existing techniques either rely on manually defined attack scenarios or require specific alert formats, such as IDMEF that include IP addresses. This makes the application of existing aggregation methods infeasible for alerts from host-based or anomaly-based IDSs that frequently lack such network-related data. In this paper, we therefore present a domain-independent alert aggregation technique. We introduce similarity measures and merging strategies for arbitrary semi-structured alerts and alert groups. Based on these metrics and techniques we propose an incremental procedure for the generation of abstract alert patterns that enable continuous classification of incoming alerts. Evaluations show that our approach is capable of reducing the number of alert groups for human review by around \( 80\% \) and assigning attack classifiers to the groups with true positive rates of \( 80\% \) and false positive rates lower than \( 5\% \) .

Topics & Concepts

Computer scienceIntrusion detection systemAnomaly detectionFlooding (psychology)Data miningDomain (mathematical analysis)Host (biology)Similarity (geometry)Attack patternsMachine learningArtificial intelligenceImage (mathematics)BiologyPsychotherapistMathematical analysisEcologyPsychologyMathematicsNetwork Security and Intrusion DetectionAnomaly Detection Techniques and ApplicationsSoftware System Performance and Reliability