Wajih Ul Hassan (NEC Laboratories America, Inc.; University of Illinois at Urbana–Champaign), Shengjian Guo (Virginia Tech), Ding Li (NEC Laboratories America, Inc.), Zhengzhang Chen (NEC Laboratories America, Inc.), Kangkook Jee (NEC Laboratories America, Inc.), Zhichun Li (NEC Laboratories America, Inc.), Adam Bates (University of Illinois at Urbana–Champaign)

Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a “threat alert fatigue” or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms.
In this paper, we present NoDoze to combat this challenge using contextual and historical information of generated threat alert in an enterprise. NoDoze first generates a causal dependency graph of an alert event. Then, it assigns an anomaly score to each event in the dependency graph based on the frequency with which related events have happened before in the enterprise. NoDoze then propagates those scores along the edges of the graph using a novel network diffusion algorithm and generates a subgraph with an aggregate anomaly score which is used to triage alerts. Evaluation on our dataset of 364 threat alerts shows that NoDoze decreases the volume of false alarms by 86%, saving more than 90 hours of analysts’ time, which was required to investigate those false alarms. Furthermore, NoDoze generated dependency graphs of true alerts are 2 orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation. Our system has a low average runtime overhead and can be deployed with any threat detection software.

View More Papers

Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via...

A. Theodore Markettos (University of Cambridge), Colin Rothwell (University of Cambridge), Brett F. Gutstein (Rice University), Allison Pearce (University of Cambridge), Peter G. Neumann (SRI International), Simon W. Moore (University of Cambridge), Robert N. M. Watson (University of Cambridge)

Read More

Cleaning Up the Internet of Evil Things: Real-World Evidence...

Orcun Cetin (Delft University of Technology), Carlos Gañán (Delft University of Technology), Lisette Altena (Delft University of Technology), Takahiro Kasama (National Institute of Information and Communications Technology), Daisuke Inoue (National Institute of Information and Communications Technology), Kazuki Tamiya (Yokohama National University), Ying Tie (Yokohama National University), Katsunari Yoshioka (Yokohama National University), Michel van Eeten (Delft…

Read More

OBFUSCURO: A Commodity Obfuscation Engine on Intel SGX

Adil Ahmad (Purdue), Byunggill Joe (KAIST), Yuan Xiao (Ohio State University), Yinqian Zhang (Ohio State University), Insik Shin (KAIST), Byoungyoung Lee (Purdue/SNU)

Read More

The use of TLS in Censorship Circumvention

Sergey Frolov (University of Colorado Boulder), Eric Wustrow (University of Colorado Boulder)

Read More