Network-side Alert Prioritization Method Based on Multivariate Data Fusion
Author:
Affiliation:

  • Article
  • | |
  • Metrics
  • |
  • Reference [52]
  • |
  • Related [20]
  • | | |
  • Comments
    Abstract:

    The network security monitoring systems deployed on network nodes generate a large number of network-side alerts every day, causing the security engineers to face significant pressure to lose sensitivity to high-risk alerts and fail to detect network attacks in time. Due to the complexity and variability of cyber attacks and the limitation of network-side alert information, existing alert prioritization/ classification methods for IT operations are unsuitable for network-side alerts. Thus, network-side alert prioritization (NAP), the first network-side alert prioritization method, is proposed based on multivariate data fusion. NAP first designs a multi-strategy context encoder based on source IP address and destination IP address to capture the context information of network-side alerts. And then, NAP designs a text encoder based on the attention-based bidirectional GRU model and the ChineseBERT model to learn the semantic information of network-side alerts from the text data such as alert messages. Finally, NAP builds a ranking model to obtain the alert ranking values and then ranks the high-risk alerts with cyber attack intention in the front according to their descending order to optimize the network-side alert management process. The experiments on three groups of network attack and defense data from NSFOCUS show that NAP can achieve effective and stable prioritization results, and significantly outperforms the compared methods. For example, the average NDCG@k (kÎ[1,10]) (i.e., normalized discounted cumulative gain of the first 1 to 10 ranking results) ranges from 0.893 1 to 0.958 3, and outperforms the state-of-the-art method more than 64.73%. Besides, NAP has been applied to a real-world network-side alert dataset from Tianjin University, further confirming its practicability.

    Reference
    [1] CNN. What we know about the pipeline ransomware attack: How it happened, who is responsible and more. 2021. https://edition. cnn.com/2021/05/10/politics/colonial-ransomware-attack-explainer/index.html
    [2] Khraisat A, Gondal I, Vamplew P, et al. Survey of intrusion detection systems: Techniques, datasets and challenges. Cybersecurity, 2019, 2(1): 1-22. [doi: 10.1186/s42400-019-0038-7]
    [3] Prandl S, Lazarescu M, Pham DS. A study of web application firewall solutions. In: Proc. of the 11th Int’l Conf. on Information Systems Security (ICISS 2015). 2015. 501-510. [doi: 10.1007/978-3-319-26961-0_29]
    [4] Hassan WU, Guo S, Li D, et al. Nodoze: Combatting threat alert fatigue with automated provenance triage. In: Proc. of the 26th Annual Network and Distributed System Security Symp. (NDSS 2019). 2019.
    [5] Orca. The orca security 2022 cloud security alert fatigue report. 2022. https://orca.security/resources/blog/2022-cloud-cyber- security-alert-fatigue-report/
    [6] Lin Y, Chen Z, Cao C, et al. Collaborative alert ranking for anomaly detection. In: Proc. of the 27th ACM Int’l Conf. on Information and Knowledge Management (CIKM 2018). 2018. 1987-1995. [doi: 10.1145/3269206.3272013]
    [7] Alahmadi BA, Axon L, Martinovic I. 99% false positives: A qualitative study of SOC analysts’ perspectives on security alarms. In: Proc. of the 31st USENIX Security Symp. (USENIX Security 2022). 2022. 2783-2800.
    [8] Liu J, Zhang R, Liu W, et al. Context2Vector: Accelerating security event triage via context representation learning. Information and Software Technology, 2022, 146: 106856. [doi: 10.1016/j.infsof.2022.106856]
    [9] Zhao N, Jin P, Wang L, et al. Automatically and adaptively identifying severe alerts for online service systems. In: Proc. of the IEEE Conf. on Computer Communications (INFOCOM 2020). 2020. 2420-2429. [doi: 10.1109/ INFOCOM41043.2020.9155219]
    [10] 刘剑, 苏璞睿, 杨珉, 等. 软件与网络安全研究综述. 软件学报, 2018, 29(1): 42-68. http://www.jos.org.cn/1000-9825/5320.htm [doi: 10.13328/j.cnki.jos.005320]
    Liu J, Su PR, Yang M, et al. Software and cyber security—A survey. Ruan Jian Xue Bao/Journal of Software, 2018, 29(1): 42-68 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5320.htm [doi: 10.13328/j.cnki. jos.005320]
    [11] Jiang G, Chen H, Yoshihira K, et al. Ranking the importance of alerts for problem determination in large computer systems. In: Proc. of the 6th Int’l Conf. on Autonomic Computing. 2009. 3-12. [doi: 10.1145/1555228.1555232]
    [12] Ben-Asher N, Gonzalez C. Effects of cyber security knowledge on attack detection. Computers in Human Behavior, 2015, 48: 51-61. [doi: 10.1016/j.chb.2015.01.039]
    [13] Zhao N, Chen J, Wang Z, et al. Real-time incident prediction for online service systems. In: Proc. of the 28th ACM Joint Meeting on European Software Engineering Conf. and Symp. on the Foundations of Software Engineering. 2020. 315-326. [doi: 10.1145/3368089.3409672]
    [14] Li B, Yang T, Chen Z, et al. Heterogeneous anomaly detection for software systems via attentive multi-modal learning. arXiv:2207.02918, 2022.
    [15] Chen J, Zhang S, He X, et al. How incidental are the incidents? Characterizing and prioritizing incidents for large-scale online service systems. In: Proc. of the 35th IEEE/ACM Int’l Conf. on Automated Software Engineering. 2020. 373-384. [doi: 10.1145/3324884.3416624]
    [16] Van Ede T, Aghakhani H, Spahn N, et al. Deepcase: Semi-supervised contextual analysis of security events. In: Proc. of the 2022 IEEE Symp. on Security and Privacy (SP 2022). IEEE, 2022. 522-539. [doi: 10.1109/SP46214.2022.00036]
    [17] Shen Y, Stringhini G. Attack2vec: Leveraging temporal word embeddings to understand the evolution of cyberattacks. In: Proc. of the 28th USENIX Security Symp. (USENIX Security 2019). 2019. 905-921.
    [18] Qin ZQ, Ma XK, Wang YJ. Attentional payload anomaly detector for Web applications. In: Proc. of the 25th Int’l Conf. on Neural Information Processing (ICONIP 2018). Springer, 2018. 588-599. [doi: 10.1007/978-3-030-04212-7_52]
    [19] Jin X, Cui B, Yang J, et al. Payload-based Web attack detection using deep neural network. In: Advances on Broad-band Wireless Computing, Communication and Applications: Proc. of the 12th Int’l Conf. on Broad-band Wireless Computing, Communication and Applications (BWCCA 2017). Springer, 2018. 482-488. [doi: 10.1007/978-3-319-69811- 3_44]
    [20] Jin X, Cui B, Li D, et al. An improved payload-based anomaly detector for Web applications. Journal of Network and Computer Applications, 2018, 106: 111-116. [doi: 10.1016/j.jnca.2018.01.002]
    [21] Torrano-Gimenez C, Nguyen HT, Alvarez G, et al. Applying feature selection to payload-based web application firewalls. In: Proc. of the 3rd Int’l Workshop on Security and Communication Networks (IWSCN 2011). IEEE, 2011. 75-81. [doi: 10.1109/IWSCN. 2011.6827720]
    [22] 王立敏, 卜磊, 马乐之, 等. 基于指标依赖模型构建与监控的攻击检测方法. 软件学报, 2023, 34(6): 2641-2668. http://www. jos.org.cn/1000-9825/6847.htm [doi: 10.13328/j.cnki.jos.006847]
    Wang LM, Bu L, Ma LZ, et al. Attack detection method based on indicator-dependent model construction and monitoring. Ruan Jian Xue Bao/Journal of Software, 2023, 34(6): 2641-2668 (in Chinese with English abstract). http://www.jos. org.cn/1000-9825/ 6847.htm [doi: 10.13328/j.cnki.jos.006847]
    [23] Chen J, Wang P, Wang W. Online summarizing alerts through semantic and behavior information. In: Proc. of the 44th Int’l Conf. on Software Engineering (ICSE 2022). 2022. 1646-1657. [doi: 10.1145/3510003.3510055]
    [24] Zhao N, Chen J, Peng X, et al. Understanding and handling alert storm for online service systems. In: Proc. of the 42nd ACM/IEEE Int’l Conf. on Software Engineering: Software Engineering in Practice (ICSE-SEIP 2020). 2020. 162-171. [doi: 10.1145/3377813. 3381363]
    [25] Lin D, Raghu R, Ramamurthy V, et al. Unveiling clusters of events for alert and incident management in large-scale enterprise it. In: Proc. of the 20th ACM SIGKDD Int’l Conf. on Knowledge Discovery and Data Mining (SIGKDD 2014). 2014. 1630-1639. [doi: 10.1145/2623330.2623360]
    [26] Ma M, Zhang S, Chen J, et al. Jump-Starting multivariate time series anomaly detection for online service systems. In: Proc. of the 2021 USENIX Annual Technical Conf. (USENIX ATC 2021). 2021. 413-426.
    [27] Zhao N, Chen J, Yu Z, et al. Identifying bad software changes via multimodal anomaly detection for online service systems. In: Proc. of the 29th ACM Joint Meeting on European Software Engineering Conf. and Symp. on the Foundations of Software Engineering (ESEC/FSE 2021). 2021. 527-539. [doi: 10.1145/3468264.3468543]
    [28] Landauer M, Skopik F, Wurzenberger M, et al. Dealing with security alert flooding: using machine learning for domain- independent alert aggregation. ACM Trans. on Privacy and Security, 2022, 25(3): 1-36. [doi: 10.1145/3510581]
    [29] Chung J, Gulcehre C, Cho K, et al. Empirical evaluation of gated recurrent neural networks on sequence modeling. In: Proc. of the Neural Information Processing Systems Workshop on Deep Learning (NeurIPS 2014). 2014.
    [30] Wang W, Chen J, Yang L, et al. How long will it take to mitigate this incident for online service systems? In: Proc. of the 32nd Int’l Symp. on Software Reliability Engineering (ISSRE 2021). IEEE, 2021. 36-46. [doi: 10.1109/ISSRE52982.2021.00017]
    [31] Wang W, Chen J, Yang L, et al. Understanding and predicting incident mitigation time. Information and Software Technology, 2023, 155: 107119. [doi: 10.1016/j.infsof.2022.107119]
    [32] Yang L, Chen J, Wang Z, et al. Semi-supervised log-based anomaly detection via probabilistic label estimation. In: Proc. of the 43rd IEEE/ACM Int’l Conf. on Software Engineering (ICSE 2021). IEEE, 2021. 1448-1460. [doi: 10.1109/ICSE43902.2021. 00130]
    [33] Pennington J, Socher R, Manning CD. Glove: Global vectors for word representation. In: Proc. of the 2014 Conf. on Empirical Methods in Natural Language Processing (EMNLP 2014). 2014. 1532-1543.
    [34] Devlin J, Chang MW, Lee K, et al. Bert: Pre-training of deep bidirectional transformers for language understanding. In: Proc. of the 2019 Conf. of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT 2019). 2019. 4171-4186.
    [35] Kang Y, Wang Z, Zhang H, et al. Apirecx: Cross-library api recommendation via pre-trained language model. In: Proc. of the 2021 Conf. on Empirical Methods in Natural Language Processing (EMNLP 2021). 2021. 3425-3436. [doi: 10.18653/v1/ 2021.emnlp- main.275]
    [36] Shen Q, Chen J, Zhang JM, et al. Natural test generation for precise testing of question answering software. In: Proc. of the 37th IEEE/ACM Int’l Conf. on Automated Software Engineering (ASE 2022). 2022. 1-12. [doi: 10.1145/3551349. 3556953]
    [37] Gao T, Chen J, Zhao Y, et al. Vectorizing program ingredients for better JVM testing. In: Proc. of the 32nd ACM SIGSOFT Int’l Symp. on Software Testing and Analysis (ISSTA 2023). 2023. 526-537. [doi: 10.1145/3597926.3598075]
    [38] Sun Z, Li X, Sun X, et al. Chinesebert: Chinese pretraining enhanced by glyph and pinyin information. In: Proc. of the 59th Annual Meeting of the Association for Computational Linguistics and the 11th Int’l Joint Conf. on Natural Language Processing (ACL/IJCNLP 2021) (Vol.1: Long Papers). 2021. 2065-2075. [doi: 10.18653/v1/2021.acl-long.161]
    [39] Zhang Y, Wu X, Fang Q, et al. Knowledge-enhanced attributed multi-task learning for medicine recommendation. ACM Trans. on Information Systems (TOIS), 2023, 41(1): 1-24. [doi: 10.1145/3527662]
    [40] Mostafa S, Wang X, Xie T. Perfranker: Prioritization of performance regression tests for collection-intensive software. In: Proc. of the 26th ACM SIGSOFT Int’l Symp. on Software Testing and Analysis (ISSTA 2017). 2017. 23-34. [doi: 10.1145/3092703. 3092725]
    [41] Su Y, Xing Z, Peng X, et al. Reducing bug triaging confusion by learning from mistakes with a bug tossing knowledge graph. In: Proc. of the 36th IEEE/ACM Int’l Conf. on Automated Software Engineering (ASE 2021). IEEE, 2021. 191-202. [doi: 10.1109/ ASE51524.2021.9678574]
    [42] Chen N, Lin J, Hoi SCH, et al. AR-Miner: Mining informative reviews for developers from mobile app marketplace. In: Proc. of the 36th Int’l Conf. on Software Engineering (ICSE 2014). 2014. 767-778. [doi: 10.1145/2568225.2568263]
    [43] Al-Maskari A, Sanderson M, Clough P. The relationship between IR effectiveness measures and user satisfaction. In: Proc. of the 30th Annual Int’l ACM SIGIR Conf. on Research and Development in Information Retrieval. 2007. 773-774. [doi: 10.1145/ 1277741.1277902]
    [44] Järvelin K, Kekäläinen J. Cumulated gain-based evaluation of IR techniques. ACM Trans. on Information Systems (TOIS), 2002, 20(4): 422-446. [doi: 10.1145/582415.582418]
    [45] Salton G, Buckley C. Term-weighting approaches in automatic text retrieval. Information Processing & Management, 1988, 24(5): 513-523.
    [46] Dos Santos C, Gatti M. Deep convolutional neural networks for sentiment analysis of short texts. In: Proc. of the 25th Int’l Conf. on Computational Linguistics: Technical Papers (COLING 2014). 2014. 69-78.
    [47] 雷杰, 高鑫, 宋杰, 等. 深度网络模型压缩综述. 软件学报, 2018, 29(2): 251-266. http://www.jos.org.cn/1000-9825/5428.htm [doi: 10.13328/j.cnki.jos.005428]
    Lei J, Gao X, Song J, et al. Survey of deep neural network model compression. Ruan Jian Xue Bao/Journal of Software, 2018, 29(2): 251-266 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5428.htm [doi: 10.13328/ j.cnki.jos.005428]
    [48] 高晗, 田育龙, 许封元, 等. 深度学习模型压缩与加速综述. 软件学报, 2021, 32(1): 68-92. http://www.jos.org.cn/1000-9825/ 6096.htm [doi: 10.13328/j.cnki.jos.006096]
    Gao H, Tian YL, Xu FY, et al. Survey of deep learning model compression and acceleration. Ruan Jian Xue Bao/Journal of Software, 2021, 32(1): 68-92 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/6096.htm [doi: 10.13328/j.cnki. jos.006096]
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

王维靖,陈俊洁,杨林,侯德俊,王星凯,吴复迪,张润滋,王赞.基于多元数据融合的网络侧告警排序方法.软件学报,2024,35(8):3610-3625

Copy
Share
Article Metrics
  • Abstract:489
  • PDF: 2557
  • HTML: 854
  • Cited by: 0
History
  • Received:September 10,2023
  • Revised:October 30,2023
  • Online: January 05,2024
  • Published: August 06,2024
You are the first2032491Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063