Threat Alert Prioritization Using Isolation Forest and Stacked Auto Encoder With Day-Forward-Chaining Analysis

Security Incident and Event Manager (SIEM) is a security management approach designed to identify possible threats within a real-time enterprise environment. The main challenge for SIEM is to find critical security incidents among a huge number of less critical alerts coming from separate security products. The continuously growing number of internet-connected devices has led to the alert fatigue problem, which is defined as the inability of security operators to investigate each incoming alert from intrusion detection systems. This fatigue can lead to human errors and leave many alerts being not investigated. Aiming at reducing the number of less important threat alerts presented to security operators, this paper presents a new method for highlighting critical alerts with a minimal number of false negatives. The proposed method employs isolation forest to ensure unsupervised performance and adaptability to different types of networks. Furthermore, it takes the advantage of day-forward-chaining analysis to ensure the detection of highly important alerts in real time. The number of false positive cases is reduced by employing an autoencoder. The proposed method achieved a recall score of 95.89% and a false positive rate of 5.86% on a dataset comprising more than half a million alerts collected in a real-world enterprise environment over ten months. This study highlights the importance of addressing the alert fatigue problem and validates the effectiveness of unsupervised learning in filtering out less important threat alerts.

[1]  Ding Li,et al.  NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage , 2019, NDSS.

[2]  Christoph Meinel,et al.  Hierarchical object log format for normalisation of security events , 2013, 2013 9th International Conference on Information Assurance and Security (IAS).

[3]  Hossein Gharaee,et al.  Log management comprehensive architecture in Security Operation Center (SOC) , 2011, 2011 International Conference on Computational Aspects of Social Networks (CASoN).

[4]  Martin Wattenberg,et al.  How to Use t-SNE Effectively , 2016 .

[5]  Christoph Meinel,et al.  A New Approach to Building a Multi-tier Direct Access Knowledgebase for IDS/SIEM Systems , 2013, 2013 IEEE 11th International Conference on Dependable, Autonomic and Secure Computing.

[6]  Kwangjo Kim,et al.  Deep Abstraction and Weighted Feature Selection for Wi-Fi Impersonation Detection , 2018, IEEE Transactions on Information Forensics and Security.

[7]  Takeshi Takahashi,et al.  Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest , 2019, 2019 17th International Conference on Privacy, Security and Trust (PST).

[8]  Alaa Tharwat,et al.  Classification assessment methods , 2020, Applied Computing and Informatics.

[9]  Minrui Fei,et al.  An Anomaly Detection Approach Based on Isolation Forest Algorithm for Streaming Data Using Sliding Window , 2013, ICONS.

[10]  Zhi-Hua Zhou,et al.  Isolation Forest , 2008, 2008 Eighth IEEE International Conference on Data Mining.

[11]  Christoph Meinel,et al.  Pushing the Limits in Event Normalisation to Improve Attack Detection in IDS/SIEM Systems , 2013, 2013 International Conference on Advanced Cloud and Big Data.

[12]  José Manuel Benítez,et al.  On the use of cross-validation for time series predictor evaluation , 2012, Inf. Sci..

[13]  Kwangjo Kim,et al.  Improving Detection of Wi-Fi Impersonation by Fully Unsupervised Deep Learning , 2017, WISA.

[14]  Lei Zhu,et al.  Combating Threat-Alert Fatigue with Online Anomaly Detection Using Isolation Forest , 2019, ICONIP.

[15]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[16]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[17]  Leonard J. Tashman,et al.  Out-of-sample tests of forecasting accuracy: an analysis and review , 2000 .

[18]  Geoffrey E. Hinton,et al.  Visualizing Data using t-SNE , 2008 .

[19]  Asha Rao,et al.  Detecting Anomalous User Behavior Using an Extended Isolation Forest Algorithm: An Enterprise Case Study , 2016, ArXiv.

[20]  Brian Hutchinson,et al.  Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams , 2017, AAAI Workshops.