research-article

Combat Security Alert Fatigue with AI-Assisted Techniques

Authors:

Takeshi Takahashi,

Daisuke InoueAuthors Info & Claims

CSET '21: Proceedings of the 14th Cyber Security Experimentation and Test Workshop

Pages 9 - 16

https://doi.org/10.1145/3474718.3474723

Published: 07 September 2021 Publication History

Abstract

The main challenge for security information and event management (SIEM) is to find critical security incidents among a huge number of false alerts generated from separate security products. To address the alert fatigue problem that is common for security experts operating the SIEM, we propose a new alert screening scheme that leverages artificial intelligence (AI)-assisted tools to distinguish actual threats from false alarms without investigating every alert. The proposed scheme incorporates carefully chosen learning algorithms and newly designed visualization tools to facilitate speedy alert analysis and incident response. The proposed scheme is evaluated on an alert dataset collected in the security operation center of an enterprise. With a recall rate of 99.598% for highly critical alerts and a false positive rate of 0.001% reported, the proposed scheme demonstrated very promising potential for real world security operations. We believe the proposed scheme is effective in addressing the alert fatigue problem, and therefore paves the way for a consolidated security solution for network security at the enterprise level.

References

[1]

Muhamad Erza Aminanto, Tao Ban, Ryoichi Isawa, Takeshi Takahashi, and Daisuke Inoue. 2020. Threat Alert Prioritization Using Isolation Forest and Stacked Auto Encoder With Day-Forward-Chaining Analysis. In IEEE Access. IEEE, 217977–217986.

[2]

Muhamad Erza Aminanto, Tao Ban, Ryoichi Isawa, Takeshi Takahashi, and Daisuke Inoue. 2020. Threat Alert Prioritization Using Isolation Forest and Stacked Auto Encoder With Day-Forward-Chaining Analysis. IEEE Access 8(2020), 217977–217986. https://doi.org/10.1109/ACCESS.2020.3041837

[3]

Muhamad Erza Aminanto, Rakyong Choi, Harry Chandra Tanuwidjaja, Paul D Yoo, and Kwangjo Kim. 2017. Deep abstraction and weighted feature selection for Wi-Fi impersonation detection. IEEE Transactions on Information Forensics and Security 13, 3(2017), 621–636.

[4]

Muhamad Erza Aminanto and Kwangjo Kim. 2017. Improving detection of Wi-Fi impersonation by fully unsupervised deep learning. In International Workshop on Information Security Applications. Springer, 212–223.

[5]

Muhamad Erza Aminanto, Lei Zhu, Tao Ban, Ryoichi Isawa, Takeshi Takahashi, and Daisuke Inoue. 2019. Combating Threat-Alert Fatigue with Online Anomaly Detection Using Isolation Forest. In Lecture Notes in Computer Science, Neural Information Processing (ICONIP) 2019. Springer, Cham, 756–765.

Digital Library

[6]

Igor Anastasov and Danco Davcev. 2014. SIEM implementation for global and distributed environments. In 2014 World Congress on Computer Applications and Information Systems (WCCAIS). IEEE, 1–6. https://doi.org/10.1109/WCCAIS.2014.6916651

[7]

Amir Azodi, David Jaeger, Feng Cheng, and Christoph Meinel. 2013. A new approach to building a multi-tier direct access knowledgebase for ids/siem systems. In 2013 IEEE 11th International Conference on Dependable, Autonomic and Secure Computing. IEEE, 118–123.

Digital Library

[8]

Amir Azodi, David Jaeger, Feng Cheng, and Christoph Meinel. 2013. Pushing the limits in event normalisation to improve attack detection in IDS/SIEM systems. In 2013 International Conference on Advanced Cloud and Big Data. IEEE, 69–76.

Digital Library

[9]

Chih-Chung Chang and Chih-Jen Lin. 2011. LIBSVM: A library for support vector machines. ACM Transactions on Intelligent Systems and Technology 2 (2011), 27:1–27:27. Issue 3. Software available at http://www.csie.ntu.edu.tw/~cjlin/libsvm.

Digital Library

[10]

Herve Debar, David Curry, and Benjamin Feinstein. 2007. The intrusion detection message exchange format (IDMEF).

[11]

Zhiguo Ding and Minrui Fei. 2013. An anomaly detection approach based on isolation forest algorithm for streaming data using sliding window. IFAC Proceedings Volumes 46, 20 (2013), 12–17.

[12]

Richard O. Duda, Peter E. Hart, and David G. Stork. 2000. Pattern Classification (2nd Edition)(2 ed.). Wiley-Interscience.

[13]

Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. 2019. NODOZE: Combatting Threat Alert Fatigue with Automated Provenance Triage. In Network and Distributed Systems Security (NDSS) Symposium 2019 (San Diego).

[14]

IBM. 2016. Log Event Extended Format (LEEF). https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/b_Leef_format_guide.pdf. [Online; accessed 9th May 2019].

[15]

ECMA International. 2013. The JSON Data Interchange Format. https://www.ecma-international.org/wp-content/uploads/ECMA-404_1st_edition_october_2013.pdf. [Online; accessed 30th January 2021].

[16]

Eric Jackson and Rajeev Agrawal. 2019. Performance Evaluation of Different Feature Encoding Schemes on Cybersecurity Logs. In 2019 SoutheastCon. IEEE, 1–9. https://doi.org/10.1109/SoutheastCon42311.2019.9020560

[17]

Dongyang Li, Daisuke Kotani, and Yasuo Okabe. 2020. Improving Attack Detection Performance in NIDS Using GAN. In 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC). IEEE, 817–825. https://doi.org/10.1109/COMPSAC48688.2020.0-162

[18]

Chunming Liu, Longbing Cao, and Philip S Yu. 2014. A hybrid coupled k-nearest neighbor algorithm on imbalance data. In 2014 International Joint Conference on Neural Networks (IJCNN). IEEE, 2011–2018. https://doi.org/10.1109/IJCNN.2014.6889798

[19]

Afsaneh Madani, Saed Rezayi, and Hossein Gharaee. 2011. Log management comprehensive architecture in Security Operation Center (SOC). In 2011 International Conference on Computational Aspects of Social Networks (CASoN). IEEE, 284–289.

[20]

McAfee. 2017. Alert Fatigue: 31.9% of IT Security Professionals Ignore Alerts. https://www.mcafee.com/blogs/enterprise/cloud-security/alert-fatigue-31-9-of-it-security-professionals-ignore-alerts/. [Online; accessed 30th January 2021].

[21]

McAfee. 2017. McAfee Enterprise Security Manager 10.2.0 Product Guide (Unmanaged). https://docs.mcafee.com/bundle/enterprise-security-manager-10.2.0-product-guide-unmanaged/page/GUID-984F5DA6-8D84-4549-855B-C77D53CF96B9.html. [Online; accessed 30th September 2020].

[22]

MITRE. [n.d.]. Common Event Expression — CEE, A Unified Event Language for Interoperability. http://makingsecuritymeasurable.mitre.org/docs/cee-intro-handout.pdf. [Online; accessed 9th May 2019].

[23]

Andrey Sapegin, David Jaeger, Amir Azodi, Marian Gawron, Feng Cheng, and Christoph Meinel. 2013. Hierarchical object log format for normalisation of security events. In 2013 9th International Conference on Information Assurance and Security (IAS). IEEE, 25–30.

[24]

Aumreesh Ku. Saxena, Sitesh Sinha, and Piyush Shukla. 2017. General study of intrusion detection system and survey of agent based intrusion detection system. In 2017 International Conference on Computing, Communication and Automation (ICCCA). IEEE, 417–421. https://doi.org/10.1109/CCAA.2017.8229866

[25]

Li Sun, Steven Versteeg, Serdar Boztas, and Asha Rao. 2016. Detecting Anomalous User Behavior Using an Extended Isolation Forest Algorithm: An Enterprise Case Study. CoRR abs/1609.06676(2016). arxiv:1609.06676http://arxiv.org/abs/1609.06676

[26]

Aaron Tuor, Samuel Kaplan, Brian Hutchinson, Nicole Nichols, and Sean Robinson. 2017. Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. In Workshops at the Thirty-First AAAI Conference on Artificial Intelligence.

[27]

Fredrik Valeur, Giovanni Vigna, Christopher Kruegel, and Richard A Kemmerer. 2004. Comprehensive approach to intrusion detection alert correlation. IEEE Transactions on dependable and secure computing 1, 3 (2004), 146–169.

Digital Library

[28]

Laurens van der Maaten and Geoffrey Hinton. 2008. Visualizing Data using t-SNE. Journal of Machine Learning Research 9 (2008), 2579–2605. http://www.jmlr.org/papers/v9/vandermaaten08a.html

[29]

Vladimir N. Vapnik. 1995. The nature of statistical learning theory. Springer-Verlag New York, Inc.

Digital Library

Cited By

Tilbury JFlowerday S(2024)Humans and Automation: Augmenting Security Operation CentersJournal of Cybersecurity and Privacy10.3390/jcp40300204:3(388-409)Online publication date: 1-Jul-2024
https://doi.org/10.3390/jcp4030020
Tilbury JFlowerday S(2024)Automation Bias and Complacency in Security Operation CentersComputers10.3390/computers1307016513:7(165)Online publication date: 3-Jul-2024
https://doi.org/10.3390/computers13070165
Odo AMcLaughlin NKyriazakis I(2024)Automated Monitoring of Ear Biting in Pigs by Tracking Individuals and Events2024 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV)10.1109/WACV57701.2024.00694(7080-7088)Online publication date: 3-Jan-2024
https://doi.org/10.1109/WACV57701.2024.00694
Show More Cited By

Index Terms

Combat Security Alert Fatigue with AI-Assisted Techniques

Index terms have been assigned to the content through auto-classification.

Recommendations

Dealing with Security Alert Flooding: Using Machine Learning for Domain-independent Alert Aggregation
Intrusion Detection Systems (IDS) secure all kinds of IT infrastructures through automatic detection of malicious activities. Unfortunately, they are known to produce large numbers of alerts that often become overwhelming for manual analysis. Therefore, ...
Combating alert fatigue with AlertPro: Context-aware alert prioritization using reinforcement learning for multi-step attack detection
Abstract
Alert fatigue problems can have serious consequences for the enterprise security. When analysts become overwhelmed by the sheer number of alerts, high-risk alerts may go unnoticed or receive delayed responses, exposing the organization to ...
Ability of machine-learning based clinical decision support system to reduce alert fatigue, wrong-drug errors, and alert users about look alike, sound alike medication
Highlights
- This study sought to evaluate the overall performance of a machine learning-based CDSS (MedGuard) for triggering clinically relevant alerts, acceptance rate, and to intercept inappropriate drug errors as well as LASA drug errors.
- An ...
Abstract Background and objective
The overall benefits of using clinical decision support systems (CDSSs) can be restrained if physicians inadvertently ignore clinically useful alerts due to “alert fatigue” caused by an excessive number of clinically ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

CSET '21: Proceedings of the 14th Cyber Security Experimentation and Test Workshop

August 2021

95 pages

ISBN:9781450390651

DOI:10.1145/3474718

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 September 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

The Ministry ofInternal Affairs and Communications, Japan

Conference

CSET '21

CSET '21: Cyber Security Experimentation and Test Workshop

August 9, 2021

CA, Virtual, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
679
Total Downloads

Downloads (Last 12 months)259
Downloads (Last 6 weeks)16

Reflects downloads up to 26 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Tilbury JFlowerday S(2024)Humans and Automation: Augmenting Security Operation CentersJournal of Cybersecurity and Privacy10.3390/jcp40300204:3(388-409)Online publication date: 1-Jul-2024
https://doi.org/10.3390/jcp4030020
Tilbury JFlowerday S(2024)Automation Bias and Complacency in Security Operation CentersComputers10.3390/computers1307016513:7(165)Online publication date: 3-Jul-2024
https://doi.org/10.3390/computers13070165
Odo AMcLaughlin NKyriazakis I(2024)Automated Monitoring of Ear Biting in Pigs by Tracking Individuals and Events2024 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV)10.1109/WACV57701.2024.00694(7080-7088)Online publication date: 3-Jan-2024
https://doi.org/10.1109/WACV57701.2024.00694
Black GMcCullough WRoysdon P(2024)Security Dataset Augmentation Invariance and Distribution Independence2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10555950(70-75)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10555950
Vaarandi RGuerra-Manzanares A(2024)Network IDS alert classification with active learning techniquesJournal of Information Security and Applications10.1016/j.jisa.2023.10368781(103687)Online publication date: Mar-2024
https://doi.org/10.1016/j.jisa.2023.103687
Vaarandi RGuerra-Manzanares A(2024)Stream clustering guided supervised learning for classifying NIDS alertsFuture Generation Computer Systems10.1016/j.future.2024.01.032155:C(231-244)Online publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1016/j.future.2024.01.032
Zidan KAlam AAllison JAl-sherbaz A(2024)Assessing the Challenges Faced by Security Operations Centres (SOC)Advances in Information and Communication10.1007/978-3-031-53963-3_18(256-271)Online publication date: 17-Mar-2024
https://doi.org/10.1007/978-3-031-53963-3_18
Ban TTakahashi TNdichu SInoue D(2023)Breaking Alert Fatigue: AI-Assisted SIEM Framework for Effective Incident ResponseApplied Sciences10.3390/app1311661013:11(6610)Online publication date: 29-May-2023
https://doi.org/10.3390/app13116610
Ndichu SBan TTakahashi TInoue D(2023)AI-Assisted Security Alert Data Analysis with Imbalanced Learning MethodsApplied Sciences10.3390/app1303197713:3(1977)Online publication date: 3-Feb-2023
https://doi.org/10.3390/app13031977
NAKAO KYOSHIOKA KSASAKI TTANABE RHUANG XTAKAHASHI TFUJITA ATAKEUCHI JMURATA NSHIKATA JIWAMOTO KTAKADA KISHIDA YTAKEUCHI MYANAI N(2023)Mitigate: Toward Comprehensive Research and Development for Analyzing and Combating IoT MalwareIEICE Transactions on Information and Systems10.1587/transinf.2022ICI0001E106.D:9(1302-1315)Online publication date: 1-Sep-2023
https://doi.org/10.1587/transinf.2022ICI0001
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents