Near real-time intrusion alert aggregation using concept-based learning

Proceedings of the 18th ACM International Conference on Computing Frontiers Pub Date : 2021-05-11 DOI:10.1145/3457388.3458663

Gordon Werner, S. Yang, K. McConky

{"title":"Near real-time intrusion alert aggregation using concept-based learning","authors":"Gordon Werner, S. Yang, K. McConky","doi":"10.1145/3457388.3458663","DOIUrl":null,"url":null,"abstract":"Intrusion detection systems generate a large number of streaming alerts. It can be overwhelming for analysts to quickly and effectively find related alerts stemmed from correlated attack actions. What if fast arriving alerts could be automatically processed with no prior knowledge to find related actions in near real-time? The Concept Learning for Intrusion Event Aggregation in Realtime (CLEAR) system aims to learn and update an evolving set of temporal 'concepts,' each consisting of aggregates of related alerts that exhibit similar statistical arrival patterns. With no training data, the system constructs the concepts in near real-time from statistically similar alert aggregates. Tracked concepts are then applied to incoming alerts for fast and high-fidelity aggregation. The concepts learned by CLEAR are significantly more unique and invariant when compared to those learned by alternative drift detection methods. Furthermore, it provides insights for how specific individual, or co-occuring, alerts arrive with distinct and consistent temporal patterns.","PeriodicalId":136482,"journal":{"name":"Proceedings of the 18th ACM International Conference on Computing Frontiers","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-05-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 18th ACM International Conference on Computing Frontiers","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3457388.3458663","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

Intrusion detection systems generate a large number of streaming alerts. It can be overwhelming for analysts to quickly and effectively find related alerts stemmed from correlated attack actions. What if fast arriving alerts could be automatically processed with no prior knowledge to find related actions in near real-time? The Concept Learning for Intrusion Event Aggregation in Realtime (CLEAR) system aims to learn and update an evolving set of temporal 'concepts,' each consisting of aggregates of related alerts that exhibit similar statistical arrival patterns. With no training data, the system constructs the concepts in near real-time from statistically similar alert aggregates. Tracked concepts are then applied to incoming alerts for fast and high-fidelity aggregation. The concepts learned by CLEAR are significantly more unique and invariant when compared to those learned by alternative drift detection methods. Furthermore, it provides insights for how specific individual, or co-occuring, alerts arrive with distinct and consistent temporal patterns.

查看原文本刊更多论文

基于概念学习的近实时入侵警报聚合

入侵检测系统会产生大量的流警报。对于分析人员来说，快速有效地找到源于相关攻击行为的相关警报可能是一项艰巨的任务。如果快速到达的警报可以在没有先验知识的情况下自动处理，从而近乎实时地找到相关操作，那会怎么样?实时入侵事件聚合(CLEAR)系统的概念学习旨在学习和更新一组不断发展的时间“概念”，每个概念都由表现出类似统计到达模式的相关警报的集合组成。在没有训练数据的情况下，系统几乎实时地从统计上相似的警报聚合中构建概念。然后将跟踪的概念应用于传入警报，以实现快速和高保真的聚合。与其他漂移检测方法学习的概念相比，CLEAR学习的概念明显更加独特和不变性。此外，它还提供了关于特定的单个或共同发生的警报如何以不同和一致的时间模式到达的见解。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 18th ACM International Conference on Computing Frontiers

自引率

0.00%

发文量