Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest

Muhamad Erza Aminanto, Lei Zhu, Tao Ban, Ryoichi Isawa, Takeshi Takahashi, Daisuke Inoue

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

9 Citations (Scopus)

Abstract

Network-based intrusion detection systems (NIDSes) tend to output massive alert logs to cover all suspicious communications that deviate from normal network traffic. Due to the tremendous volume of these alert logs, real-time incident response or keeping in pace with the alerts sometimes turns out to be impractical for security operators who have to genuinely investigate each alert to verify whether immediate remedial action is necessary. This problem, known as the threat-alert fatigue problem, causes many unexplored alerts and hence deteriorates the quality of service (QoS). In order to reduce the massive number of alerts, we propose an alert screening scheme that can triage alerts on the basis of the potential of a vast threat. We leverage the fully unsupervised nature of the adopted isolation forest method. Our proposed scheme does not require any prior labeling information and is thus suitable for most NIDSes deployed in enterprise environments. Moreover, by taking advantage of the temporal information in the alerts, we observe that each period (currently set to one day) has its distinct characteristics, which can be exploited to isolate anomalies. This study demonstrates the advantages of unsupervised learning in reducing vast threat alerts and lays the groundwork for battling the alert fatigue problem.

Original languageEnglish
Title of host publication2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings
EditorsAli Ghorbani, Indrakshi Ray, Arash Habibi Lashkari, Jie Zhang, Rongxing Lu
PublisherInstitute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)9781728132655
DOIs
Publication statusPublished - Aug 2019
Event17th International Conference on Privacy, Security and Trust, PST 2019 - Fredericton, Canada
Duration: 26 Aug 201928 Aug 2019

Publication series

Name2019 17th International Conference on Privacy, Security and Trust, PST 2019 - Proceedings

Conference

Conference17th International Conference on Privacy, Security and Trust, PST 2019
Country/TerritoryCanada
CityFredericton
Period26/08/1928/08/19

Keywords

  • alert screening
  • intrusion detection
  • isolation forest
  • machine learning
  • threat alert fatigue

Fingerprint

Dive into the research topics of 'Automated Threat-Alert Screening for Battling Alert Fatigue with Temporal Isolation Forest'. Together they form a unique fingerprint.

Cite this