Published: September 30, 2014
Citation: International Journal of Network Security & Its Applications (IJNSA) vol. 6, no. 5, (September 2014) pp. 35-50
Author(s)
Peter Mell, Richard Harang
Previous work introduced the idea of grouping alerts at a Hamming distance of 1 to achieve alert aggregation; such aggregated meta-alerts were shown to increase alert interpret-ability. However, a mean of 84,023 daily Snort alerts were reduced to a still formidable 14,099 meta-alerts. In this work, we address this limitation by investigating several approaches that all contribute towards reducing the burden on the analyst and providing timely analysis. We explore minimizing the number of both alerts and data fields by aggregating at Hamming distances greater than 1. We show how increasing bin sizes can improve aggregation rates. And we provide a new aggregation algorithm that operates up to an order of magnitude faster at Hamming distance 1. Lastly, we demonstrate the broad applicability of this approach through empirical analysis of Windows security alerts, Snort alerts, netflow records, and DNS logs.
Previous work introduced the idea of grouping alerts at a Hamming distance of 1 to achieve alert aggregation; such aggregated meta-alerts were shown to increase alert interpret-ability. However, a mean of 84,023 daily Snort alerts were reduced to a still formidable 14,099 meta-alerts. In this work,...
See full abstract
Previous work introduced the idea of grouping alerts at a Hamming distance of 1 to achieve alert aggregation; such aggregated meta-alerts were shown to increase alert interpret-ability. However, a mean of 84,023 daily Snort alerts were reduced to a still formidable 14,099 meta-alerts. In this work, we address this limitation by investigating several approaches that all contribute towards reducing the burden on the analyst and providing timely analysis. We explore minimizing the number of both alerts and data fields by aggregating at Hamming distances greater than 1. We show how increasing bin sizes can improve aggregation rates. And we provide a new aggregation algorithm that operates up to an order of magnitude faster at Hamming distance 1. Lastly, we demonstrate the broad applicability of this approach through empirical analysis of Windows security alerts, Snort alerts, netflow records, and DNS logs.
Hide full abstract
Keywords
alert aggregation; cognitive load; Hamming distance; hypergraphs; security logs
Control Families
None selected