An Active Learning Approach to Dynamic Alert Prioritization for Real-time Situational Awareness
| Title | An Active Learning Approach to Dynamic Alert Prioritization for Real-time Situational Awareness |
| Publication Type | Conference Paper |
| Year of Publication | 2022 |
| Authors | Kim, Yeongwoo, Dán, György |
| Conference Name | 2022 IEEE Conference on Communications and Network Security (CNS) |
| Keywords | active learning, composability, Computational modeling, hidden Markov model, Hidden Markov models, Intrusion detection, Manuals, Markov processes, Network security, Predictive Metrics, pubcrawl, Real-time Systems, Resiliency, security situational awareness, situational awareness, Uncertainty |
| Abstract | Real-time situational awareness (SA) plays an essential role in accurate and timely incident response. Maintaining SA is, however, extremely costly due to excessive false alerts generated by intrusion detection systems, which require prioritization and manual investigation by security analysts. In this paper, we propose a novel approach to prioritizing alerts so as to maximize SA, by formulating the problem as that of active learning in a hidden Markov model (HMM). We propose to use the entropy of the belief of the security state as a proxy for the mean squared error (MSE) of the belief, and we develop two computationally tractable policies for choosing alerts to investigate that minimize the entropy, taking into account the potential uncertainty of the investigations' results. We use simulations to compare our policies to a variety of baseline policies. We find that our policies reduce the MSE of the belief of the security state by up to 50% compared to static baseline policies, and they are robust to high false alert rates and to the investigation errors. |
| DOI | 10.1109/CNS56114.2022.9947246 |
| Citation Key | kim_active_2022 |