TY - GEN
T1 - Fusing Security Alerts Improves Cyber-Security
T2 - 8th International Conference on Data Science in Cyberspace, DSC 2023
AU - Wei, Songxuan
AU - Xie, Yushun
AU - Zhao, Angxiao
AU - Jing, Xiao
AU - Luo, Cui
AU - Gu, Zhaoquan
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - With the rapid development of network technologies, cyberspace security is facing increasingly complex threats. To detect and respond to the rapidly growing number of network attacks, many security devices are widely adopted. However, a single security device often detects network attacks based on a single algorithm or some pre-defined features, resulting in a large number of false positives and false negatives in the security alerts it generates. Hence, many heterogeneous security devices are normally used; and fusing the alerts from these devices is an effective way to improve the quality of security alerts. As the formats or even the contents of the reported alerts are quite different, it has become a severe problem to fuse these alerts in practice. To address this problem, we propose an alert normalization framework in this paper for multi-source heterogeneous devices, which can convert different alert types reported by heterogeneous devices into a unified attack classification system automatically, making it possible to jointly analyze these alerts. Our framework extracts keywords describing each attack type by calculating the TF-IDF value, and then uses the normalized TF-IDF value as a weight to predict which attack type the alert belongs to. Experiments on 67,957 security alerts obtained from 15 security devices show that our method has good performance and is well interpretable. In addition, it can predict unseen alerts with a high accuracy of 0.65.
AB - With the rapid development of network technologies, cyberspace security is facing increasingly complex threats. To detect and respond to the rapidly growing number of network attacks, many security devices are widely adopted. However, a single security device often detects network attacks based on a single algorithm or some pre-defined features, resulting in a large number of false positives and false negatives in the security alerts it generates. Hence, many heterogeneous security devices are normally used; and fusing the alerts from these devices is an effective way to improve the quality of security alerts. As the formats or even the contents of the reported alerts are quite different, it has become a severe problem to fuse these alerts in practice. To address this problem, we propose an alert normalization framework in this paper for multi-source heterogeneous devices, which can convert different alert types reported by heterogeneous devices into a unified attack classification system automatically, making it possible to jointly analyze these alerts. Our framework extracts keywords describing each attack type by calculating the TF-IDF value, and then uses the normalized TF-IDF value as a weight to predict which attack type the alert belongs to. Experiments on 67,957 security alerts obtained from 15 security devices show that our method has good performance and is well interpretable. In addition, it can predict unseen alerts with a high accuracy of 0.65.
KW - Security alerts
KW - alert aggregation
KW - cyber-security
KW - intrusion detection system
KW - natural language processing
UR - https://www.scopus.com/pages/publications/85184349388
U2 - 10.1109/DSC59305.2023.00011
DO - 10.1109/DSC59305.2023.00011
M3 - 会议稿件
AN - SCOPUS:85184349388
T3 - Proceedings - 2023 8th International Conference on Data Science in Cyberspace, DSC 2023
SP - 1
EP - 7
BT - Proceedings - 2023 8th International Conference on Data Science in Cyberspace, DSC 2023
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 18 August 2023 through 20 August 2023
ER -