@inproceedings{b50aeee99a664fa89e7a30231c9e01d9,
title = "Prioritizing Antivirus Alerts on Internal Enterprise Machines.",
abstract = "Security analysts in large enterprises must handle hundreds or even thousands of alerts raised by antivirus (AV) solutions each day. Thus, a mechanism for analyzing, correlating, and prioritizing these alerts (events) is essential. In this paper, we present an unsupervised machine learning-based method for prioritizing AV alerts. The proposed method converts time windows that include sensitive (important) events to a vector of features and utilizes a set of autoencoder (AE) models, each of which is trained to rank a specific type of sensitive event; then it aggregates their results to identify abnormal and potentially critical machines (i.e., machine that require further examination). We evaluate our proposed method using real McAfee ePO datasets collected from a large organization over a four-month period. Security analysts manually inspected the machines for which an alert was raised by the proposed method, and on average 56% of the alerts were found to be relevant (i.e., require further investigation) compared with 43% raised by baseline models and 7% raised by random selection, thus demonstrating the proposed method{\textquoteright}s effectiveness at prioritizing AV events.",
keywords = "Antivirus, Autoencoder, Big data, Machine learning",
author = "Shay Sakazi and Yuval Elovici and Asaf Shabtai",
note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2022 ; Conference date: 29-06-2022 Through 01-07-2022",
year = "2022",
month = jun,
day = "24",
doi = "10.1007/978-3-031-09484-2_5",
language = "English",
isbn = "978-3-031-09483-5",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Cham",
pages = "75--95",
editor = "Lorenzo Cavallaro and Daniel Gruss and Giancarlo Pellegrino and Giorgio Giacinto",
booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 19th International Conference, DIMVA 2022, Proceedings",
}