TY - GEN
T1 - NODOZE
T2 - 26th Annual Network and Distributed System Security Symposium, NDSS 2019
AU - Ul Hassan, Wajih
AU - Guo, Shengjian
AU - Li, Ding
AU - Chen, Zhengzhang
AU - Jee, Kangkook
AU - Li, Zhichun
AU - Bates, Adam
N1 - We would like to thank the anonymous reviewers for their helpful feedback. This work was supported in part by the National Science Foundation under contracts CNS-16-57534 and CNS-17-50024. This work was done while Wajih Ul Hassan and Shengjian Guo were interns under the supervision of Ding Li at NEC Labs America. Ding Li is the corresponding author of this paper. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of their employers or the sponsors.
PY - 2019
Y1 - 2019
N2 - Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a “threat alert fatigue” or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms. In this paper, we present NODOZE to combat this challenge using contextual and historical information of generated threat alert. NODOZE first generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each edge in the dependency graph based on the frequency with which related events have happened before in the enterprise. NODOZE then propagates those scores along the neighboring edges of the graph using a novel network diffusion algorithm and generates an aggregate anomaly score which is used for triaging. We deployed and evaluated NODOZE at NEC Labs America. Evaluation on our dataset of 364 threat alerts shows that NODOZE consistently ranked the true alerts higher than the false alerts based on aggregate anomaly scores. Further, through the introduction of a cutoff threshold for anomaly scores, we estimate that our system decreases the volume of false alarms by 84%, saving analysts’ more than 90 hours of investigation time per week. NODOZE generates alert dependency graphs that are two orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software.
AB - Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a “threat alert fatigue” or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms. In this paper, we present NODOZE to combat this challenge using contextual and historical information of generated threat alert. NODOZE first generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each edge in the dependency graph based on the frequency with which related events have happened before in the enterprise. NODOZE then propagates those scores along the neighboring edges of the graph using a novel network diffusion algorithm and generates an aggregate anomaly score which is used for triaging. We deployed and evaluated NODOZE at NEC Labs America. Evaluation on our dataset of 364 threat alerts shows that NODOZE consistently ranked the true alerts higher than the false alerts based on aggregate anomaly scores. Further, through the introduction of a cutoff threshold for anomaly scores, we estimate that our system decreases the volume of false alarms by 84%, saving analysts’ more than 90 hours of investigation time per week. NODOZE generates alert dependency graphs that are two orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software.
UR - https://www.scopus.com/pages/publications/85091585945
UR - https://www.scopus.com/pages/publications/85091585945#tab=citedBy
U2 - 10.14722/ndss.2019.23349
DO - 10.14722/ndss.2019.23349
M3 - Conference contribution
AN - SCOPUS:85091585945
T3 - 26th Annual Network and Distributed System Security Symposium, NDSS 2019
BT - 26th Annual Network and Distributed System Security Symposium, NDSS 2019
PB - The Internet Society
Y2 - 24 February 2019 through 27 February 2019
ER -