Finding Harmony in the Noise: Blending Security Alerts for Attack Detection

Tom-Martijn Roelofs; Eduardo Barbaro; Svetlana Pekarskikh; Katarzyna Orzechowska; Marta Kwapień; Jakub Tyrlik; Dinu Smadu; Michel Van Eeten; Yury Zhauniarovich

doi:10.1145/3605098.3635981

What is it about?

In the article, we show that by combining data from separate traditional detection systems (such as network layer detection, SIEM, the output of threat hunts, Endpoint Detection and Response) and training a model on the basis of red team attacks and confirmed incidents, a scalable and high-quality detection for a Security Operations Centre (SOC) can be achieved. This methodology significantly outperforms the traditional, stove-piped way of working of SOCs, including so-called User Behaviour Apps (UBA or UEBA apps). The alerts and some other information are ingested into an AI-powered integration layer where the features of the detection models are calculated and models are run. The feedback loop is shown in the infographic.

Photo by Markus Spiske on Unsplash

Why is it important?

Detection of cyber attacks to the earliest point in time is critical to prevent further damage and impact on an organisation with digital infrastructure

Perspectives

This way of working simply makes sense, but requires a base maturity in cybersecurity and data science. The big plus is that you reap the benefits of the work already done on creating detection rules and implementation of (stove-piped) tooling, thus conserving your investment in security. With limited effort you can take detection of cyberattacks to the next level.
Tom-Martijn Roelofs
ING Bank

Writing this paper was tremendously interesting as it bridges multiple gaps. Enterprise and academia, Machine learning and cybersecurity. In addition, it fights some stigma within the security operations centre that AI is not good enough to be deployed in production. Our paper demonstrates, objectively, that it very much is. We hope it opens doors for other researchers to do more research in this very interesting area.
Dr Eduardo Barbaro
Technische Universiteit Delft

This page is a summary of: Finding Harmony in the Noise: Blending Security Alerts for Attack Detection, April 2024, ACM (Association for Computing Machinery),
DOI: 10.1145/3605098.3635981.
You can read the full text:

Read

Contributors

The following have contributed to this page

High-quality detection of cyber attacks in large-scale (corporate) IT networks and applications

What is it about?

Why is it important?

Perspectives

Contributors

Discover more

Medical Research

Life Sciences

Physical Sciences

Technology and Engineering

Environmental Research

Arts and Humanities

Social Sciences

Business and Management

High-quality detection of cyber attacks in large-scale (corporate) IT networks and applications

What is it about?

Featured Image

Why is it important?

Perspectives

Read the Original

Contributors

Share this page:

Discover more

Medical Research

Life Sciences

Physical Sciences

Technology and Engineering

Environmental Research

Arts and Humanities

Social Sciences

Business and Management