Security analysts in large enterprises must handle hundreds or even thousands of alerts raised by antivirus (AV) solutions each day. Thus, a mechanism for analyzing, correlating, and prioritizing these alerts (events) is essential. In this paper, we present an unsupervised machine learning-based method for prioritizing AV alerts. The proposed method converts time windows that include sensitive (important) events to a vector of features and utilizes a set of autoencoder (AE) models, each of which is trained to rank a specific type of sensitive event; then it aggregates their results to identify abnormal and potentially critical machines (i.e., machine that require further examination). We evaluate our proposed method using real McAfee ePO datasets collected from a large organization over a four-month period. Security analysts manually inspected the machines for which an alert was raised by the proposed method, and on average 56% of the alerts were found to be relevant (i.e., require further investigation) compared with 43% raised by baseline models and 7% raised by random selection, thus demonstrating the proposed method’s effectiveness at prioritizing AV events.
|Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
|19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2022
|29/06/22 → 1/07/22
- Big data
- Machine learning
- Theoretical Computer Science
- General Computer Science