Wajih Ul Hassan (NEC Laboratories America, Inc.; University of Illinois at Urbana–Champaign), Shengjian Guo (Virginia Tech), Ding Li (NEC Laboratories America, Inc.), Zhengzhang Chen (NEC Laboratories America, Inc.), Kangkook Jee (NEC Laboratories America, Inc.), Zhichun Li (NEC Laboratories America, Inc.), Adam Bates (University of Illinois at Urbana–Champaign)

Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a “threat alert fatigue” or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms.
In this paper, we present NoDoze to combat this challenge using contextual and historical information of generated threat alert in an enterprise. NoDoze first generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each event in the dependency graph based on the frequency with which related events have happened before in the enterprise. NoDoze then propagates those scores along the edges of the graph using a novel network diffusion algorithm and generates a subgraph with an aggregate anomaly score which is used to triage alerts. Evaluation on our dataset of 364 threat alerts shows that NoDoze decreases the volume of false alarms by 86%, saving more than 90 hours of analysts’ time, which was required to investigate those false alarms. Furthermore, NoDoze generated dependency graphs of true alerts are 2 orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software.

View More Papers

Time Does Not Heal All Wounds: A Longitudinal Analysis...

Meng Luo (Stony Brook University), Pierre Laperdrix (Stony Brook University), Nima Honarmand (Stony Brook University), Nick Nikiforakis (Stony Brook University)

Read More

ML-Leaks: Model and Data Independent Membership Inference Attacks and...

Ahmed Salem (CISPA Helmholtz Center for Information Security), Yang Zhang (CISPA Helmholtz Center for Information Security), Mathias Humbert (Swiss Data Science Center, ETH Zurich/EPFL), Pascal Berrang (CISPA Helmholtz Center for Information Security), Mario Fritz (CISPA Helmholtz Center for Information Security), Michael Backes (CISPA Helmholtz Center for Information Security)

Read More

Understanding Open Ports in Android Applications: Discovery, Diagnosis, and...

Daoyuan Wu (Singapore Management University), Debin Gao (Singapore Management University), Rocky K. C. Chang (The Hong Kong Polytechnic University), En He (China Electronic Technology Cyber Security Co., Ltd.), Eric K. T. Cheng (The Hong Kong Polytechnic University), Robert H. Deng (Singapore Management University)

Read More

Balancing Image Privacy and Usability with Thumbnail-Preserving Encryption

Kimia Tajik (Oregon State University), Akshith Gunasekaran (Oregon State University), Rhea Dutta (Cornell University), Brandon Ellis (Oregon State University), Rakesh B. Bobba (Oregon State University), Mike Rosulek (Oregon State University), Charles V. Wright (Portland State University), Wu-Chi Feng (Portland State University)

Read More