Abstract
The threat-alert fatigue problem, which is the inability of security operators to genuinely investigate each alert coming from network-based intrusion detection systems, causes many unexplored alerts and hence a deterioration of the quality of service. Motivated by this pressing need to reduce the number of threat-alerts presented to security operators for manual investigation, we propose a scheme that can triage alerts of significance from massive threat-alert logs. Thanks to the fully unsupervised nature of the adopted isolation forest method, the proposed scheme does not require any prior labeling information and thus is readily adaptable for most enterprise environments. Moreover, by taking advantage of the temporal information in the alerts, it can be used in an online mode that takes in the most recent information from past alerts and predicts the incoming ones. We evaluated the performance of our scheme using a 10-month dataset consisting of more than half a million alerts collected in a real-world enterprise environment and found that it could screen out 87.41% of the alerts without missing any single significant ones. This study demonstrates the efficacy of unsupervised learning in screening minor threat-alerts and is expected to shed light on the threat-alert fatigue problem.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The 0.04% difference here caused by 291 of the true alerts is excluded from the 12.55% FPR.
References
Ding, Z., Fei, M.: An anomaly detection approach based on isolation forest algorithm for streaming data using sliding window. IFAC Proc. Vol. 46(20), 12–17 (2013)
Hassan, W.U., Guo, S., Li, D., Chen, Z., Jee, K., Li, Z., Bates, A.: NoDoze: combatting threat alert fatigue with automated provenance triage. In: Network and Distributed Systems Security (NDSS) Symposium 2019 (2019)
ArcSight, Inc.: Common event format (2010). https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP-KNOWLEDGEBASE/78000/KB78712/. Accessed 17 Apr 2019
Liu, F.T., Ting, K.M., Zhou, Z.H.: Isolation forest. In: 2008 Eighth IEEE International Conference on Data Mining, pp. 413–422. IEEE (2008)
Marwaha, N.: System and method for providing common event format using alert index. US Patent 7,139,938, 21 November 2006
Sun, L., Versteeg, S., Boztas, S., Rao, A.: Detecting anomalous user behavior using an extended isolation forest algorithm: an enterprise case study. arXiv preprint arXiv:1609.06676 (2016)
Susto, G.A., Beghi, A., McLoone, S.: Anomaly detection through on-line isolation forest: an application to plasma etching. In: 2017 28th Annual SEMI Advanced Semiconductor Manufacturing Conference (ASMC), pp. 89–94. IEEE (2017)
Tharwat, A.: Classification assessment methods. Appl. Comput. Inform. (2018). https://doi.org/10.1016/j.aci.2018.08.003
Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N., Robinson, S.: Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. In: Workshops at the Thirty-First AAAI Conference on Artificial Intelligence (2017)
Ulevitch, D.: Cisco 2017 Annual Cybersecurity Report: The Hidden Danger of Uninvestigated Threats (2017). https://blogs.cisco.com/security/cisco-2017-annual-cybersecurity-report-the-hidden-danger-of-uninvestigated-threats. Accessed 17 Apr 2019
Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: Comprehensive approach to intrusion detection alert correlation. IEEE Trans. Dependable Secur. Comput. 1(3), 146–169 (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Aminanto, M.E., Zhu, L., Ban, T., Isawa, R., Takahashi, T., Inoue, D. (2019). Combating Threat-Alert Fatigue with Online Anomaly Detection Using Isolation Forest. In: Gedeon, T., Wong, K., Lee, M. (eds) Neural Information Processing. ICONIP 2019. Lecture Notes in Computer Science(), vol 11953. Springer, Cham. https://doi.org/10.1007/978-3-030-36708-4_62
Download citation
DOI: https://doi.org/10.1007/978-3-030-36708-4_62
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-36707-7
Online ISBN: 978-3-030-36708-4
eBook Packages: Computer ScienceComputer Science (R0)