Prioritizing Antivirus Alerts on Internal Enterprise Machines.

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


Security analysts in large enterprises must handle hundreds or even thousands of alerts raised by antivirus (AV) solutions each day. Thus, a mechanism for analyzing, correlating, and prioritizing these alerts (events) is essential. In this paper, we present an unsupervised machine learning-based method for prioritizing AV alerts. The proposed method converts time windows that include sensitive (important) events to a vector of features and utilizes a set of autoencoder (AE) models, each of which is trained to rank a specific type of sensitive event; then it aggregates their results to identify abnormal and potentially critical machines (i.e., machine that require further examination). We evaluate our proposed method using real McAfee ePO datasets collected from a large organization over a four-month period. Security analysts manually inspected the machines for which an alert was raised by the proposed method, and on average 56% of the alerts were found to be relevant (i.e., require further investigation) compared with 43% raised by baseline models and 7% raised by random selection, thus demonstrating the proposed method’s effectiveness at prioritizing AV events.
Original languageAmerican English
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 19th International Conference, DIMVA 2022, Proceedings
EditorsLorenzo Cavallaro, Daniel Gruss, Giancarlo Pellegrino, Giorgio Giacinto
Number of pages21
ISBN (Electronic)978-3-031-09484-2
StatePublished - 24 Jun 2022
Event19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2022 - Cagliari, Italy
Duration: 29 Jun 20221 Jul 2022

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13358 LNCS


Conference19th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2022


  • Antivirus
  • Autoencoder
  • Big data
  • Machine learning

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Prioritizing Antivirus Alerts on Internal Enterprise Machines.'. Together they form a unique fingerprint.

Cite this