• Login
    View Item 
    •   Home
    • Faculty/ Researcher Works
    • Faculty/ Researcher Works
    • View Item
    •   Home
    • Faculty/ Researcher Works
    • Faculty/ Researcher Works
    • View Item
    JavaScript is disabled for your browser. Some features of this site may not work without it.

    Browse

    All of TUScholarShareCommunitiesDateAuthorsTitlesSubjectsGenresThis CollectionDateAuthorsTitlesSubjectsGenres

    My Account

    LoginRegister

    Help

    AboutPeoplePoliciesHelp for DepositorsData DepositFAQs

    Statistics

    Most Popular ItemsStatistics by CountryMost Popular Authors

    Collaborative alert ranking for anomaly detection

    • CSV
    • RefMan
    • EndNote
    • BibTex
    • RefWorks
    Thumbnail
    Name:
    1612.07736v2.pdf
    Size:
    10.08Kb
    Format:
    PDF
    Download
    Genre
    Pre-print
    Date
    2018-10-17
    Author
    Lin, Y
    Chen, Z
    Cao, C
    Tang, LA
    Zhang, K
    Cheng, W
    Li, Z
    Subject
    Anomaly detection
    Alert ranking
    Temporal dependency modeling
    Content dependency modeling
    Entity embedding
    Enterprise security system
    Permanent link to this record
    http://hdl.handle.net/20.500.12613/4387
    
    Metadata
    Show full item record
    DOI
    10.1145/3269206.3272013
    Abstract
    © 2018 Association for Computing Machinery. Given a large number of low-quality heterogeneous categorical alerts collected from an anomaly detection system, how to characterize the complex relationships between different alerts and deliver trustworthy rankings to end users? While existing techniques focus on either mining alert patterns or filtering out false positive alerts, it can be more advantageous to consider the two perspectives simultaneously in order to improve detection accuracy and better understand abnormal system behaviors. In this paper, we propose CAR, a collaborative alert ranking framework that exploits both temporal and content correlations from heterogeneous categorical alerts. CAR first builds a hierarchical Bayesian model to capture both short-term and long-term dependencies in each alert sequence. Then, an entity embedding-based model is proposed to learn the content correlations between alerts via their heterogeneous categorical attributes. Finally, by incorporating both temporal and content dependencies into a unified optimization framework, CAR ranks both alerts and their corresponding alert patterns. Our experiments - using both synthetic and real-world enterprise security alert data - show that CAR can accurately identify true positive alerts and successfully reconstruct the attack scenarios at the same time.
    Citation to related work
    ACM
    Has part
    International Conference on Information and Knowledge Management, Proceedings
    ADA compliance
    For Americans with Disabilities Act (ADA) accommodation, including help with reading this content, please contact scholarshare@temple.edu
    ae974a485f413a2113503eed53cd6c53
    http://dx.doi.org/10.34944/dspace/4369
    Scopus Count
    Collections
    Faculty/ Researcher Works

    entitlement

     
    DSpace software (copyright © 2002 - 2023)  DuraSpace
    Temple University Libraries | 1900 N. 13th Street | Philadelphia, PA 19122
    (215) 204-8212 | scholarshare@temple.edu
    Open Repository is a service operated by 
    Atmire NV
     

    Export search results

    The export option will allow you to export the current search results of the entered query to a file. Different formats are available for download. To export the items, click on the button corresponding with the preferred download format.

    By default, clicking on the export buttons will result in a download of the allowed maximum amount of items.

    To select a subset of the search results, click "Selective Export" button and make a selection of the items you want to export. The amount of items that can be exported at once is similarly restricted as the full export.

    After making a selection, click one of the export format buttons. The amount of items that will be exported is indicated in the bubble next to export format.