Prioritizing Antivirus Alerts on Internal Enterprise Machines.

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Security analysts in large enterprises must handle hundreds or even thousands of alerts raised by antivirus (AV) solutions each day. Thus, a mechanism for analyzing, correlating, and prioritizing these alerts (events) is essential. In this paper, we present an unsupervised machine learning-based method for prioritizing AV alerts. The proposed method converts time windows that include sensitive (important) events to a vector of features and utilizes a set of autoencoder (AE) models, each of which is trained to rank a specific type of sensitive event; then it aggregates their results to identify abnormal and potentially critical machines (i.e., machine that require further examination). We evaluate our proposed method using real McAfee ePO datasets collected from a large organization over a four-month period. Security analysts manually inspected the machines for which an alert was raised by the proposed method, and on average 56% of the alerts were found to be relevant (i.e., require further investigation) compared with 43% raised by baseline models and 7% raised by random selection, thus demonstrating the proposed method’s effectiveness at prioritizing AV events.
Original languageEnglish
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 19th International Conference, DIMVA 2022, Proceedings
EditorsLorenzo Cavallaro, Daniel Gruss, Giancarlo Pellegrino, Giorgio Giacinto
PublisherSpringer Cham
Pages75-95
Number of pages21
ISBN (Electronic)978-3-031-09484-2
ISBN (Print)978-3-031-09483-5
DOIs
StatePublished - 24 Jun 2022
Event19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2022 - Cagliari, Italy
Duration: 29 Jun 20221 Jul 2022

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13358 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2022
Country/TerritoryItaly
CityCagliari
Period29/06/221/07/22

Keywords

  • Antivirus
  • Autoencoder
  • Big data
  • Machine learning

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Prioritizing Antivirus Alerts on Internal Enterprise Machines.'. Together they form a unique fingerprint.

Cite this