Paper Info
Title
DEEPCASE: Semi-Supervised Contextual Analysis of Security Events
Abstract
Security monitoring systems detect potentially malicious activities in IT infrastructures, by either looking for known signatures or for anomalous behaviors. Security operators investigate these events to determine whether they pose a threat to their organization. In many cases, a single event may be insufficient to determine whether certain activity is indeed malicious. Therefore, a security operator frequently needs to correlate multiple events to identify if they pose a real threat. Unfortunately, the vast number of events that need to be correlated often overload security operators, forcing them to ignore some events and, thereby, potentially miss attacks. This work studies how to automatically correlate security events and, thus, automate parts of the security operator workload. We design and evaluate DEEPCASE, a system that leverages the context around events to determine which events require further inspection. This approach reduces the number of events that need to be inspected. In addition, the context provides valuable insights into why certain events are classified as malicious. We show that our approach automatically filters 86.72% of the events and reduces the manual workload of security operators by 90.53%, while underestimating the risk of potential threats in less than 0.001% of cases.
Year
DOI
Venue
2022
10.1109/SP46214.2022.9833671
2022 IEEE Symposium on Security and Privacy (SP)
Keywords
DocType
ISSN
intrusion-detection,security-operations-center,alert-reduction
Conference
1081-6011
ISBN
Citations 
PageRank 
978-1-6654-1317-6
0
0.34
References 
Authors
19
10
Name
Order
Citations
PageRank
Thijs van Ede151.91
Hojjat Aghakhani2153.03
Noah Spahn300.34
Riccardo Bortolameotti452.24
Marco Cova5142571.19
Andrea Continella6598.18
Maarten van Steen700.34
Andreas Peter823320.57
Christopher Kruegel98799516.05
Giovanni Vigna107121507.72