Publications

Abstract not provided.

Abstract not provided.

Abstract not provided.

In many organizations, intrusion detection and other related systems are tuned to generate security alerts, which are then manually inspected by cyber-security analysts. These analysts often devote a large portion of time to inspecting these alerts, most of which are innocuous. Thus, it would be greatly beneficial to reduce the number of innocuous alerts, allowing analysts to utilize their time and skills for other aspects of cyber defense. In this work, we devise several simple, fast, and easily understood models to cut back this manual inspection workload, while maintaining high true positive and true negative rates. We demonstrate their effectiveness on real data, and discuss their potential utility in application by others.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

As cyber monitoring capabilities expand and data rates increase, cyber security analysts must filter through an increasing number of alerts in order to identify potential intrusions on the network. This process is often manual and time-consuming, which limits the number of alerts an analyst can process. This generation of a vast number of alerts without any kind of ranking or prioritization is often referred to as alert desensitization [1]. This is the phenomenon where competent analysts become so numbed by the barrage of false positives that they are unable to identify the true positives, leading to unfortunate breaches. Our goal is to alleviate alert desensitization by placing the most important alerts at the front of the queue. With less time and energy expended investigating false positives, critical alerts may not be overlooked allowing timely responses to potential breaches. This paper discusses the use of supervised machine learning to rank these cyber security alerts to ensure that an analyst's time and energy are focused on the most important alerts.

As cyber monitoring capabilities expand and data rates increase, cyber security analysts must filter through an increasing number of alerts in order to identify potential intrusions on the network. This process is often manual and time-consuming, which limits the number of alerts an analyst can process. This generation of a vast number of alerts without any kind of ranking or prioritization is often referred to as alert desensitization [1]. This is the phenomenon where competent analysts become so numbed by the barrage of false positives that they are unable to identify the true positives, leading to unfortunate breaches. Our goal is to alleviate alert desensitization by placing the most important alerts at the front of the queue. With less time and energy expended investigating false positives, critical alerts may not be overlooked allowing timely responses to potential breaches. This paper discusses the use of supervised machine learning to rank these cyber security alerts to ensure that an analyst's time and energy are focused on the most important alerts.