Genre
Pre-printDate
2018-10-17Author
Lin, YChen, Z
Cao, C
Tang, LA
Zhang, K
Cheng, W
Li, Z
Subject
Anomaly detectionAlert ranking
Temporal dependency modeling
Content dependency modeling
Entity embedding
Enterprise security system
Permanent link to this record
http://hdl.handle.net/20.500.12613/4387
Metadata
Show full item recordDOI
10.1145/3269206.3272013Abstract
© 2018 Association for Computing Machinery. Given a large number of low-quality heterogeneous categorical alerts collected from an anomaly detection system, how to characterize the complex relationships between different alerts and deliver trustworthy rankings to end users? While existing techniques focus on either mining alert patterns or filtering out false positive alerts, it can be more advantageous to consider the two perspectives simultaneously in order to improve detection accuracy and better understand abnormal system behaviors. In this paper, we propose CAR, a collaborative alert ranking framework that exploits both temporal and content correlations from heterogeneous categorical alerts. CAR first builds a hierarchical Bayesian model to capture both short-term and long-term dependencies in each alert sequence. Then, an entity embedding-based model is proposed to learn the content correlations between alerts via their heterogeneous categorical attributes. Finally, by incorporating both temporal and content dependencies into a unified optimization framework, CAR ranks both alerts and their corresponding alert patterns. Our experiments - using both synthetic and real-world enterprise security alert data - show that CAR can accurately identify true positive alerts and successfully reconstruct the attack scenarios at the same time.Citation to related work
ACMHas part
International Conference on Information and Knowledge Management, ProceedingsADA compliance
For Americans with Disabilities Act (ADA) accommodation, including help with reading this content, please contact scholarshare@temple.eduae974a485f413a2113503eed53cd6c53
http://dx.doi.org/10.34944/dspace/4369