NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

Proceedings 2019 Network and Distributed System Security Symposium Pub Date : 2019-01-01 DOI:10.14722/ndss.2019.23349

Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, Adam Bates

{"title":"NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage","authors":"Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, Adam Bates","doi":"10.14722/ndss.2019.23349","DOIUrl":null,"url":null,"abstract":"—Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to ﬁgure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a “threat alert fatigue” or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms. In this paper, we present N O D OZE to combat this challenge using contextual and historical information of generated threat alert. N O D OZE ﬁrst generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each edge in the dependency graph based on the frequency with which related events have happened before in the enterprise. N O D OZE then propagates those scores along the neighboring edges of the graph using a novel network diffusion algorithm and generates an aggregate anomaly score which is used for triaging. We deployed and evaluated N O D OZE at NEC Labs America. Evaluation on our dataset of 364 threat alerts shows that N O D OZE consistently ranked the true alerts higher than the false alerts based on aggregate anomaly scores. Further, through the introduction of a cutoff threshold for anomaly scores, we estimate that our system decreases the volume of false alarms by 84%, saving analysts’ more than 90 hours of investigation time per week. N O D OZE generates alert dependency graphs that are two orders of magnitude smaller than those generated by traditional tools without sacriﬁcing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software.","PeriodicalId":20444,"journal":{"name":"Proceedings 2019 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"155","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2019 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2019.23349","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 155

Abstract

—Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to ﬁgure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a “threat alert fatigue” or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms. In this paper, we present N O D OZE to combat this challenge using contextual and historical information of generated threat alert. N O D OZE ﬁrst generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each edge in the dependency graph based on the frequency with which related events have happened before in the enterprise. N O D OZE then propagates those scores along the neighboring edges of the graph using a novel network diffusion algorithm and generates an aggregate anomaly score which is used for triaging. We deployed and evaluated N O D OZE at NEC Labs America. Evaluation on our dataset of 364 threat alerts shows that N O D OZE consistently ranked the true alerts higher than the false alerts based on aggregate anomaly scores. Further, through the introduction of a cutoff threshold for anomaly scores, we estimate that our system decreases the volume of false alarms by 84%, saving analysts’ more than 90 hours of investigation time per week. N O D OZE generates alert dependency graphs that are two orders of magnitude smaller than those generated by traditional tools without sacriﬁcing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software.

查看原文本刊更多论文

NoDoze:通过自动来源分类对抗威胁警报疲劳

-大型企业越来越依赖威胁检测软件(例如，入侵检测系统)来发现可疑活动。这些软件产生警报，必须由网络分析师进行调查，以确定它们是否是真正的攻击。不幸的是，在实践中，网络分析师无法正确调查的警报数量太多。这导致了“威胁警报疲劳”或信息过载问题，即网络分析师在虚假警报的噪音中错过了真正的攻击警报。在本文中，我们提出了N O D OZE，利用生成的威胁警报的上下文和历史信息来应对这一挑战。OZE首先生成警报事件的因果依赖关系图。然后，它根据相关事件之前在企业中发生的频率，为依赖图中的每条边分配一个异常分数。然后，N O D OZE使用一种新的网络扩散算法沿图的邻近边缘传播这些分数，并生成一个用于分类的汇总异常分数。我们在NEC美国实验室部署并评估了N O D OZE。对我们的364个威胁警报数据集的评估表明，基于总异常得分，N O D OZE始终将真实警报排在高于虚假警报的位置。此外，通过引入异常分数的截止阈值，我们估计我们的系统将误报警的数量减少了84%，为分析师节省了每周90多个小时的调查时间。n.o.d OZE生成的警报依赖关系图比传统工具生成的依赖关系图小两个数量级，而不会牺牲调查所需的重要信息。我们的系统具有较低的平均运行时开销，可以与任何威胁检测软件一起部署。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings 2019 Network and Distributed System Security Symposium

自引率

0.00%

发文量