Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest

Muhamad Erza Aminanto; Lei Zhu; Tao Ban; Ryoichi Isawa; Takeshi Takahashi; Daisuke Inoue

doi:10.1109/PST47121.2019.8949029

Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest

Muhamad Erza Aminanto, Lei Zhu, Tao Ban, Ryoichi Isawa, Takeshi Takahashi, Daisuke Inoue

School of Strategic and Global Studies

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

13 Citations (Scopus)

Abstract

Network-based intrusion detection systems (NIDSes) tend to output massive alert logs to cover all suspicious communications that deviate from normal network traffic. Due to the tremendous volume of these alert logs, real-time incident response or keeping in pace with the alerts sometimes turns out to be impractical for security operators who have to genuinely investigate each alert to verify whether immediate remedial action is necessary. This problem, known as the threat-alert fatigue problem, causes many unexplored alerts and hence deteriorates the quality of service (QoS). In order to reduce the massive number of alerts, we propose an alert screening scheme that can triage alerts on the basis of the potential of a vast threat. We leverage the fully unsupervised nature of the adopted isolation forest method. Our proposed scheme does not require any prior labeling information and is thus suitable for most NIDSes deployed in enterprise environments. Moreover, by taking advantage of the temporal information in the alerts, we observe that each period (currently set to one day) has its distinct characteristics, which can be exploited to isolate anomalies. This study demonstrates the advantages of unsupervised learning in reducing vast threat alerts and lays the groundwork for battling the alert fatigue problem.

Original language	English
Title of host publication	2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings
Editors	Ali Ghorbani, Indrakshi Ray, Arash Habibi Lashkari, Jie Zhang, Rongxing Lu
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9781728132655
DOIs	https://doi.org/10.1109/PST47121.2019.8949029
Publication status	Published - Aug 2019
Event	17th International Conference on Privacy, Security and Trust, PST 2019 - Fredericton, Canada Duration: 26 Aug 2019 → 28 Aug 2019

Publication series

Name	2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings

Conference

Conference	17th International Conference on Privacy, Security and Trust, PST 2019
Country/Territory	Canada
City	Fredericton
Period	26/08/19 → 28/08/19

Keywords

alert screening
intrusion detection
isolation forest
machine learning
threat alert fatigue

Access to Document

10.1109/PST47121.2019.8949029

Cite this

Aminanto, M. E., Zhu, L., Ban, T., Isawa, R., Takahashi, T., & Inoue, D. (2019). Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest. In A. Ghorbani, I. Ray, A. H. Lashkari, J. Zhang, & R. Lu (Eds.), 2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings Article 8949029 (2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/PST47121.2019.8949029

Aminanto, Muhamad Erza ; Zhu, Lei ; Ban, Tao et al. / Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest. 2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings. editor / Ali Ghorbani ; Indrakshi Ray ; Arash Habibi Lashkari ; Jie Zhang ; Rongxing Lu. Institute of Electrical and Electronics Engineers Inc., 2019. (2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings).

@inproceedings{55e6b6ec2074439bba87a5eb3919c15f,

title = "Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest",

abstract = "Network-based intrusion detection systems (NIDSes) tend to output massive alert logs to cover all suspicious communications that deviate from normal network traffic. Due to the tremendous volume of these alert logs, real-time incident response or keeping in pace with the alerts sometimes turns out to be impractical for security operators who have to genuinely investigate each alert to verify whether immediate remedial action is necessary. This problem, known as the threat-alert fatigue problem, causes many unexplored alerts and hence deteriorates the quality of service (QoS). In order to reduce the massive number of alerts, we propose an alert screening scheme that can triage alerts on the basis of the potential of a vast threat. We leverage the fully unsupervised nature of the adopted isolation forest method. Our proposed scheme does not require any prior labeling information and is thus suitable for most NIDSes deployed in enterprise environments. Moreover, by taking advantage of the temporal information in the alerts, we observe that each period (currently set to one day) has its distinct characteristics, which can be exploited to isolate anomalies. This study demonstrates the advantages of unsupervised learning in reducing vast threat alerts and lays the groundwork for battling the alert fatigue problem.",

keywords = "alert screening, intrusion detection, isolation forest, machine learning, threat alert fatigue",

author = "Aminanto, {Muhamad Erza} and Lei Zhu and Tao Ban and Ryoichi Isawa and Takeshi Takahashi and Daisuke Inoue",

note = "Publisher Copyright: {\textcopyright} 2019 IEEE.; 17th International Conference on Privacy, Security and Trust, PST 2019 ; Conference date: 26-08-2019 Through 28-08-2019",

year = "2019",

month = aug,

doi = "10.1109/PST47121.2019.8949029",

language = "English",

series = "2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

editor = "Ali Ghorbani and Indrakshi Ray and Lashkari, {Arash Habibi} and Jie Zhang and Rongxing Lu",

booktitle = "2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings",

address = "United States",

}

Aminanto, ME, Zhu, L, Ban, T, Isawa, R, Takahashi, T & Inoue, D 2019, Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest. in A Ghorbani, I Ray, AH Lashkari, J Zhang & R Lu (eds), 2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings., 8949029, 2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings, Institute of Electrical and Electronics Engineers Inc., 17th International Conference on Privacy, Security and Trust, PST 2019, Fredericton, Canada, 26/08/19. https://doi.org/10.1109/PST47121.2019.8949029

Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest. / Aminanto, Muhamad Erza; Zhu, Lei; Ban, Tao et al.
2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings. ed. / Ali Ghorbani; Indrakshi Ray; Arash Habibi Lashkari; Jie Zhang; Rongxing Lu. Institute of Electrical and Electronics Engineers Inc., 2019. 8949029 (2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest

AU - Aminanto, Muhamad Erza

AU - Zhu, Lei

AU - Ban, Tao

AU - Isawa, Ryoichi

AU - Takahashi, Takeshi

AU - Inoue, Daisuke

PY - 2019/8

Y1 - 2019/8

N2 - Network-based intrusion detection systems (NIDSes) tend to output massive alert logs to cover all suspicious communications that deviate from normal network traffic. Due to the tremendous volume of these alert logs, real-time incident response or keeping in pace with the alerts sometimes turns out to be impractical for security operators who have to genuinely investigate each alert to verify whether immediate remedial action is necessary. This problem, known as the threat-alert fatigue problem, causes many unexplored alerts and hence deteriorates the quality of service (QoS). In order to reduce the massive number of alerts, we propose an alert screening scheme that can triage alerts on the basis of the potential of a vast threat. We leverage the fully unsupervised nature of the adopted isolation forest method. Our proposed scheme does not require any prior labeling information and is thus suitable for most NIDSes deployed in enterprise environments. Moreover, by taking advantage of the temporal information in the alerts, we observe that each period (currently set to one day) has its distinct characteristics, which can be exploited to isolate anomalies. This study demonstrates the advantages of unsupervised learning in reducing vast threat alerts and lays the groundwork for battling the alert fatigue problem.

AB - Network-based intrusion detection systems (NIDSes) tend to output massive alert logs to cover all suspicious communications that deviate from normal network traffic. Due to the tremendous volume of these alert logs, real-time incident response or keeping in pace with the alerts sometimes turns out to be impractical for security operators who have to genuinely investigate each alert to verify whether immediate remedial action is necessary. This problem, known as the threat-alert fatigue problem, causes many unexplored alerts and hence deteriorates the quality of service (QoS). In order to reduce the massive number of alerts, we propose an alert screening scheme that can triage alerts on the basis of the potential of a vast threat. We leverage the fully unsupervised nature of the adopted isolation forest method. Our proposed scheme does not require any prior labeling information and is thus suitable for most NIDSes deployed in enterprise environments. Moreover, by taking advantage of the temporal information in the alerts, we observe that each period (currently set to one day) has its distinct characteristics, which can be exploited to isolate anomalies. This study demonstrates the advantages of unsupervised learning in reducing vast threat alerts and lays the groundwork for battling the alert fatigue problem.

KW - alert screening

KW - intrusion detection

KW - isolation forest

KW - machine learning

KW - threat alert fatigue

UR - http://www.scopus.com/inward/record.url?scp=85078760381&partnerID=8YFLogxK

U2 - 10.1109/PST47121.2019.8949029

DO - 10.1109/PST47121.2019.8949029

M3 - Conference contribution

AN - SCOPUS:85078760381

T3 - 2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings

BT - 2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings

A2 - Ghorbani, Ali

A2 - Ray, Indrakshi

A2 - Lashkari, Arash Habibi

A2 - Zhang, Jie

A2 - Lu, Rongxing

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 17th International Conference on Privacy, Security and Trust, PST 2019

Y2 - 26 August 2019 through 28 August 2019

ER -

Aminanto ME, Zhu L, Ban T, Isawa R, Takahashi T, Inoue D. Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest. In Ghorbani A, Ray I, Lashkari AH, Zhang J, Lu R, editors, 2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2019. 8949029. (2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings). doi: 10.1109/PST47121.2019.8949029

Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this