OutMet: A new metric for prioritising intrusion alerts using correlation and outlier analysis

Shittu, Riyanat; Healing, Alex; Ghanea-Hercock, Robert; Bloomfield, Robin; Rajarajan, Muttukrishnan

doi:10.1109/lcn.2014.6925787

Cited by 9 publications

(4 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Numerous related works have investigated this approach and have shown it to achieve good results. The proposed solutions have been adopted by commercial products [5,34,35].…”

Section: Filtering-and Correlation-based Approachesmentioning

confidence: 99%

Breaking Alert Fatigue: AI-Assisted SIEM Framework for Effective Incident Response

et al. 2023

View full text Add to dashboard Cite

Contemporary security information and event management (SIEM) solutions struggle to identify critical security incidents effectively due to the overwhelming number of false alerts generated by disparate security products, which results in significant alert fatigue and hinders effective incident response. To overcome this challenge, we propose a next-generation SIEM framework that integrates security orchestration automation and response capabilities and utilizes a divide-and-conquer strategy to mitigate the impact of low-quality IDS alerts. The proposed framework leverages advanced machine learning and data visualization tools—including a cost-sensitive learning method and an event segmenting algorithm—to filter and correlate alerts plus an augmented visualization tool to expedite the triage process. The proposed framework was evaluated experimentally on a dataset collected from a real-world enterprise network, and we report highly convincing results. The alert screening scheme demonstrates significant potential for real-world security operations. We believe that our findings will contributing to the development of a next-generation SIEM system that effectively addresses alert fatigue and lays the foundation for future research in this field.

show abstract

“…Numerous related works have investigated this approach and have shown it to achieve good results. The proposed solutions have been adopted by commercial products [5,34,35].…”

Section: Filtering-and Correlation-based Approachesmentioning

confidence: 99%

Breaking Alert Fatigue: AI-Assisted SIEM Framework for Effective Incident Response

et al. 2023

View full text Add to dashboard Cite

show abstract

“…The likelihood that a certain incident ID is not present in any of the produced hyper alert, is the product of the probabilities of not being in each of the individual hyper alerts (Cf. (20)). Based on this, IMR is calculated as the expected rate at which an incident is not being found by the described "oracle analyst" (Cf.…”

Section: Metricsmentioning

confidence: 99%

“…It seems a more prudent approach to let IDSs be overly sensitive, and then address the filtering and correlation problems in a pre-processing step. This is supported by such approaches achieving good results [6], [7], [8], [13], [14], [15], [16], [17], [18], [19], [20], and by existence of commercial products such as Cisco Security MARS and FireEye.…”

Section: Introductionmentioning

confidence: 99%

Featureless Discovery of Correlated and False Intrusion Alerts

et al. 2020

View full text Add to dashboard Cite

Malware and cyber-attacks cause substantial damage to corporations. A common countermeasure is Intrusion Detection Systems (IDSs). Unfortunately, IDSs typically raise many alerts on a single incident, with redundant information, and false alerts that are only noise to analysts. For out-ofthe-box performance, the impact is so large that alerts are of limited practical use. Existing solutions rely heavily on domain expertise, in feature engineering procedures and explicit algorithms. This has substantial negative impact on the costs of development, deployment, and maintenance. Using feature engineering as part of a method boosts classification metrics, but requires substantial investment, of data science and security expertise, for each deployment. We find that reliance on domain expertise and feature engineering severely inhibits the feasibility of applying existing correlation and filtering methods in practice. To address this, we propose a novel approach for correlating and filtering, with the constraints that methods must be without feature engineering and methods must consume alerts as text strings. Two implementations are presented and evaluated on a partly private and on a public data set. Our implementations are unable to compete with existing methods on common detection metrics, suggesting that investing feature engineering pays of towards those. Measured on practical metrics for filtering and correlating, our implementations are promising, while at the same time cutting the cost of deployment, according to the constraints. Consequently, we find it of practical relevance to consider methods, like ours, that are much easier and cheaper to deploy, compared to the existing ones.

show abstract

“…Our hypothesis is that a set of correlated alerts should be prioritised if it represents anomalous network behaviour at a given time. The prioritisation metric is based on our previous work (Shittu et al, 2014). In our new work we have improved the correlation phase.…”

Section: Contributionsmentioning

confidence: 99%

Intrusion alert prioritisation and attack detection using post-correlation analysis

Shittu

Healing

Ghanea-Hercock

et al. 2015

Computers & Security

Self Cite

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version.Permanent repository link: http://openaccess.city.ac.uk/8680/ Link to published version: http://dx. AbstractEvent Correlation used to be a widely used technique for interpreting alert logs and discovering network attacks. However, due to the scale and complexity of today's networks and attacks, alert logs produced by these modern networks are much larger in volume and difficult to analyse. In this research we show that adding post-correlation methods can be used alongside correlation to significantly improve the analysis of alert logs.We proposed a new framework titled A Comprehensive System for Analysing Intrusion Alerts (ACSAnIA). The post-correlation methods include a new prioritisation metric based on anomaly detection and a novel approach to clustering events using correlation knowledge. One of the key benefits of the framework is that it significantly reduces false-positive alerts and it adds contextual information to true-positive alerts.We evaluated the post-correlation methods of ACSAnIA using data from a 2012 cyber range experiment carried out by industrial partners of the British Telecom SATURN programme. In one scenario, our results show that falsepositives were successfully reduced by 97% and in another scenario, 16%. It also showed that clustering correlated alerts aided in attack detection.The proposed framework is also being developed and integrated into a preexisting Visual Analytic tool developed by the British Telecom SATURN Research Team for the analysis of cyber security data.

show abstract

OutMet: A new metric for prioritising intrusion alerts using correlation and outlier analysis

Cited by 9 publications

References 29 publications

Breaking Alert Fatigue: AI-Assisted SIEM Framework for Effective Incident Response

Breaking Alert Fatigue: AI-Assisted SIEM Framework for Effective Incident Response

Featureless Discovery of Correlated and False Intrusion Alerts

Intrusion alert prioritisation and attack detection using post-correlation analysis

Contact Info

Product

Resources

About