Prioritizing Antivirus Alerts on Internal Enterprise Machines.

Shay Sakazi; Yuval Elovici; Asaf Shabtai

doi:10.1007/978-3-031-09484-2_5

Prioritizing Antivirus Alerts on Internal Enterprise Machines.

Shay Sakazi, Yuval Elovici, Asaf Shabtai

Department of Software and Information Systems Engineering

Ben-Gurion University of the Negev

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Security analysts in large enterprises must handle hundreds or even thousands of alerts raised by antivirus (AV) solutions each day. Thus, a mechanism for analyzing, correlating, and prioritizing these alerts (events) is essential. In this paper, we present an unsupervised machine learning-based method for prioritizing AV alerts. The proposed method converts time windows that include sensitive (important) events to a vector of features and utilizes a set of autoencoder (AE) models, each of which is trained to rank a specific type of sensitive event; then it aggregates their results to identify abnormal and potentially critical machines (i.e., machine that require further examination). We evaluate our proposed method using real McAfee ePO datasets collected from a large organization over a four-month period. Security analysts manually inspected the machines for which an alert was raised by the proposed method, and on average 56% of the alerts were found to be relevant (i.e., require further investigation) compared with 43% raised by baseline models and 7% raised by random selection, thus demonstrating the proposed method’s effectiveness at prioritizing AV events.

Original language	American English
Title of host publication	Detection of Intrusions and Malware, and Vulnerability Assessment - 19th International Conference, DIMVA 2022, Proceedings
Editors	Lorenzo Cavallaro, Daniel Gruss, Giancarlo Pellegrino, Giorgio Giacinto
Pages	75-95
Number of pages	21
ISBN (Electronic)	978-3-031-09484-2
DOIs	https://doi.org/10.1007/978-3-031-09484-2_5
State	Published - 24 Jun 2022
Event	19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2022 - Cagliari, Italy Duration: 29 Jun 2022 → 1 Jul 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13358 LNCS

Conference

Conference	19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2022
Country/Territory	Italy
City	Cagliari
Period	29/06/22 → 1/07/22

Keywords

Antivirus
Autoencoder
Big data
Machine learning

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-09484-2_5

https://dblp.org/db/conf/dimva/dimva2022.html#SakaziES22

Cite this

Sakazi, S., Elovici, Y., & Shabtai, A. (2022). Prioritizing Antivirus Alerts on Internal Enterprise Machines. In L. Cavallaro, D. Gruss, G. Pellegrino, & G. Giacinto (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment - 19th International Conference, DIMVA 2022, Proceedings (pp. 75-95). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13358 LNCS). https://doi.org/10.1007/978-3-031-09484-2_5

Sakazi, Shay ; Elovici, Yuval ; Shabtai, Asaf. / Prioritizing Antivirus Alerts on Internal Enterprise Machines. Detection of Intrusions and Malware, and Vulnerability Assessment - 19th International Conference, DIMVA 2022, Proceedings. editor / Lorenzo Cavallaro ; Daniel Gruss ; Giancarlo Pellegrino ; Giorgio Giacinto. 2022. pp. 75-95 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{280d409489fc429a8dbd161d1ee034fb,

title = "Prioritizing Antivirus Alerts on Internal Enterprise Machines.",

abstract = "Security analysts in large enterprises must handle hundreds or even thousands of alerts raised by antivirus (AV) solutions each day. Thus, a mechanism for analyzing, correlating, and prioritizing these alerts (events) is essential. In this paper, we present an unsupervised machine learning-based method for prioritizing AV alerts. The proposed method converts time windows that include sensitive (important) events to a vector of features and utilizes a set of autoencoder (AE) models, each of which is trained to rank a specific type of sensitive event; then it aggregates their results to identify abnormal and potentially critical machines (i.e., machine that require further examination). We evaluate our proposed method using real McAfee ePO datasets collected from a large organization over a four-month period. Security analysts manually inspected the machines for which an alert was raised by the proposed method, and on average 56% of the alerts were found to be relevant (i.e., require further investigation) compared with 43% raised by baseline models and 7% raised by random selection, thus demonstrating the proposed method{\textquoteright}s effectiveness at prioritizing AV events.",

keywords = "Antivirus, Autoencoder, Big data, Machine learning",

author = "Shay Sakazi and Yuval Elovici and Asaf Shabtai",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2022 ; Conference date: 29-06-2022 Through 01-07-2022",

year = "2022",

month = jun,

day = "24",

doi = "10.1007/978-3-031-09484-2_5",

language = "American English",

isbn = "978-3-031-09483-5",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "75--95",

editor = "Lorenzo Cavallaro and Daniel Gruss and Giancarlo Pellegrino and Giorgio Giacinto",

booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 19th International Conference, DIMVA 2022, Proceedings",

}

Sakazi, S, Elovici, Y & Shabtai, A 2022, Prioritizing Antivirus Alerts on Internal Enterprise Machines. in L Cavallaro, D Gruss, G Pellegrino & G Giacinto (eds), Detection of Intrusions and Malware, and Vulnerability Assessment - 19th International Conference, DIMVA 2022, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13358 LNCS, pp. 75-95, 19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2022, Cagliari, Italy, 29/06/22. https://doi.org/10.1007/978-3-031-09484-2_5

Prioritizing Antivirus Alerts on Internal Enterprise Machines. / Sakazi, Shay; Elovici, Yuval ; Shabtai, Asaf.
Detection of Intrusions and Malware, and Vulnerability Assessment - 19th International Conference, DIMVA 2022, Proceedings. ed. / Lorenzo Cavallaro; Daniel Gruss; Giancarlo Pellegrino; Giorgio Giacinto. 2022. p. 75-95 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13358 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Prioritizing Antivirus Alerts on Internal Enterprise Machines.

AU - Sakazi, Shay

AU - Elovici, Yuval

AU - Shabtai, Asaf

PY - 2022/6/24

Y1 - 2022/6/24

N2 - Security analysts in large enterprises must handle hundreds or even thousands of alerts raised by antivirus (AV) solutions each day. Thus, a mechanism for analyzing, correlating, and prioritizing these alerts (events) is essential. In this paper, we present an unsupervised machine learning-based method for prioritizing AV alerts. The proposed method converts time windows that include sensitive (important) events to a vector of features and utilizes a set of autoencoder (AE) models, each of which is trained to rank a specific type of sensitive event; then it aggregates their results to identify abnormal and potentially critical machines (i.e., machine that require further examination). We evaluate our proposed method using real McAfee ePO datasets collected from a large organization over a four-month period. Security analysts manually inspected the machines for which an alert was raised by the proposed method, and on average 56% of the alerts were found to be relevant (i.e., require further investigation) compared with 43% raised by baseline models and 7% raised by random selection, thus demonstrating the proposed method’s effectiveness at prioritizing AV events.

AB - Security analysts in large enterprises must handle hundreds or even thousands of alerts raised by antivirus (AV) solutions each day. Thus, a mechanism for analyzing, correlating, and prioritizing these alerts (events) is essential. In this paper, we present an unsupervised machine learning-based method for prioritizing AV alerts. The proposed method converts time windows that include sensitive (important) events to a vector of features and utilizes a set of autoencoder (AE) models, each of which is trained to rank a specific type of sensitive event; then it aggregates their results to identify abnormal and potentially critical machines (i.e., machine that require further examination). We evaluate our proposed method using real McAfee ePO datasets collected from a large organization over a four-month period. Security analysts manually inspected the machines for which an alert was raised by the proposed method, and on average 56% of the alerts were found to be relevant (i.e., require further investigation) compared with 43% raised by baseline models and 7% raised by random selection, thus demonstrating the proposed method’s effectiveness at prioritizing AV events.

KW - Antivirus

KW - Autoencoder

KW - Big data

KW - Machine learning

UR - http://www.scopus.com/inward/record.url?scp=85134341825&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-09484-2_5

DO - 10.1007/978-3-031-09484-2_5

M3 - Conference contribution

SN - 978-3-031-09483-5

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 75

EP - 95

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 19th International Conference, DIMVA 2022, Proceedings

A2 - Cavallaro, Lorenzo

A2 - Gruss, Daniel

A2 - Pellegrino, Giancarlo

A2 - Giacinto, Giorgio

T2 - 19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2022

Y2 - 29 June 2022 through 1 July 2022

ER -

Sakazi S, Elovici Y , Shabtai A. Prioritizing Antivirus Alerts on Internal Enterprise Machines. In Cavallaro L, Gruss D, Pellegrino G, Giacinto G, editors, Detection of Intrusions and Malware, and Vulnerability Assessment - 19th International Conference, DIMVA 2022, Proceedings. 2022. p. 75-95. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-09484-2_5

Prioritizing Antivirus Alerts on Internal Enterprise Machines.

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this