• DocumentCode
    1827882
  • Title

    Active Learning for Alert Triage

  • Author

    Doak, Justin E. ; Ingram, Joe ; Shelburg, Jeffery ; Johnson, Jamie ; Rohrer, Brandon R.

  • Author_Institution
    Sandia Nat. Labs., Albuquerque, NM, USA
  • Volume
    2
  • fYear
    2013
  • fDate
    4-7 Dec. 2013
  • Firstpage
    34
  • Lastpage
    39
  • Abstract
    In the cyber security operations of a typical organization, data from multiple sources are monitored, and when certain conditions in the data are met, an alert is generated in a Security Event and Incident Management system. Analysts inspect these alerts to decide if any deserve promotion to an event requiring further scrutiny. This triage process is manual, time-consuming, and detracts from the in-depth investigation of events. We investigate the use of supervised machine learning to automatically prioritize these alerts. In particular, we utilize active learning to make efficient use of the pool of unlabeled alerts, thereby improving the performance of our ranking models over passive learning. We demonstrate the effectiveness of active learning on a large, real-world dataset of cyber security alerts.
  • Keywords
    learning (artificial intelligence); security of data; active learning; cyber security alert triage process; cyber security operations; data monitoring; ranking models; real-world dataset; security event and incident management system; supervised machine learning; unlabeled alerts; Analytical models; Computer security; Data models; Feature extraction; Measurement; Supervised learning; Uncertainty;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Machine Learning and Applications (ICMLA), 2013 12th International Conference on
  • Conference_Location
    Miami, FL
  • Type

    conf

  • DOI
    10.1109/ICMLA.2013.102
  • Filename
    6786078
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=1827882