NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, Adam Bates
{"title":"NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage","authors":"Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, Adam Bates","doi":"10.14722/ndss.2019.23349","DOIUrl":null,"url":null,"abstract":"—Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a “threat alert fatigue” or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms. In this paper, we present N O D OZE to combat this challenge using contextual and historical information of generated threat alert. N O D OZE first generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each edge in the dependency graph based on the frequency with which related events have happened before in the enterprise. N O D OZE then propagates those scores along the neighboring edges of the graph using a novel network diffusion algorithm and generates an aggregate anomaly score which is used for triaging. We deployed and evaluated N O D OZE at NEC Labs America. Evaluation on our dataset of 364 threat alerts shows that N O D OZE consistently ranked the true alerts higher than the false alerts based on aggregate anomaly scores. Further, through the introduction of a cutoff threshold for anomaly scores, we estimate that our system decreases the volume of false alarms by 84%, saving analysts’ more than 90 hours of investigation time per week. N O D OZE generates alert dependency graphs that are two orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"155","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2019 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2019.23349","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 155

Abstract

—Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a “threat alert fatigue” or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms. In this paper, we present N O D OZE to combat this challenge using contextual and historical information of generated threat alert. N O D OZE first generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each edge in the dependency graph based on the frequency with which related events have happened before in the enterprise. N O D OZE then propagates those scores along the neighboring edges of the graph using a novel network diffusion algorithm and generates an aggregate anomaly score which is used for triaging. We deployed and evaluated N O D OZE at NEC Labs America. Evaluation on our dataset of 364 threat alerts shows that N O D OZE consistently ranked the true alerts higher than the false alerts based on aggregate anomaly scores. Further, through the introduction of a cutoff threshold for anomaly scores, we estimate that our system decreases the volume of false alarms by 84%, saving analysts’ more than 90 hours of investigation time per week. N O D OZE generates alert dependency graphs that are two orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
NoDoze:通过自动来源分类对抗威胁警报疲劳
-大型企业越来越依赖威胁检测软件(例如,入侵检测系统)来发现可疑活动。这些软件产生警报,必须由网络分析师进行调查,以确定它们是否是真正的攻击。不幸的是,在实践中,网络分析师无法正确调查的警报数量太多。这导致了“威胁警报疲劳”或信息过载问题,即网络分析师在虚假警报的噪音中错过了真正的攻击警报。在本文中,我们提出了N O D OZE,利用生成的威胁警报的上下文和历史信息来应对这一挑战。OZE首先生成警报事件的因果依赖关系图。然后,它根据相关事件之前在企业中发生的频率,为依赖图中的每条边分配一个异常分数。然后,N O D OZE使用一种新的网络扩散算法沿图的邻近边缘传播这些分数,并生成一个用于分类的汇总异常分数。我们在NEC美国实验室部署并评估了N O D OZE。对我们的364个威胁警报数据集的评估表明,基于总异常得分,N O D OZE始终将真实警报排在高于虚假警报的位置。此外,通过引入异常分数的截止阈值,我们估计我们的系统将误报警的数量减少了84%,为分析师节省了每周90多个小时的调查时间。n.o.d OZE生成的警报依赖关系图比传统工具生成的依赖关系图小两个数量级,而不会牺牲调查所需的重要信息。我们的系统具有较低的平均运行时开销,可以与任何威胁检测软件一起部署。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Network and System Security: 17th International Conference, NSS 2023, Canterbury, UK, August 14–16, 2023, Proceedings Network and System Security: 16th International Conference, NSS 2022, Denarau Island, Fiji, December 9–12, 2022, Proceedings Network and System Security: 15th International Conference, NSS 2021, Tianjin, China, October 23, 2021, Proceedings Network and System Security: 14th International Conference, NSS 2020, Melbourne, VIC, Australia, November 25–27, 2020, Proceedings Neuro-Symbolic Execution: Augmenting Symbolic Execution with Neural Constraints
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1