DualAC<sub>2</sub>NN: Revisiting and Alleviating Alert Fatigue from the Detection Perspective
The exponential expansion of Internet interconnectivity has led to a dramatic increase in cyber-attack alerts, which contain a considerable proportion of false positives. The overwhelming number of false positives cause tremendous resource consumption and delay responses to the really severe inciden...
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2022-10-01
|
| Series: | Symmetry |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2073-8994/14/10/2138 |
| _version_ | 1797469884040347648 |
|---|---|
| author | Gang Yang Chaojing Tang Xingtong Liu |
| author_facet | Gang Yang Chaojing Tang Xingtong Liu |
| author_sort | Gang Yang |
| collection | DOAJ |
| description | The exponential expansion of Internet interconnectivity has led to a dramatic increase in cyber-attack alerts, which contain a considerable proportion of false positives. The overwhelming number of false positives cause tremendous resource consumption and delay responses to the really severe incidents, namely, alert fatigue. To cope with the challenge from alert fatigue, we focus on enhancing the capability of detectors to reduce the generation of false alerts from the detection perspective. The core idea of our work is to train a machine-learning-based detector to grasp the empirical intelligence of security analysts to estimate the feasibility of an incoming HTTP request to cause substantial threats, and integrate the estimation into the detection stage to reduce false alarms. To this end, we innovatively introduce the concept of attack feasibility to characterize the composition rationality of an inbound HTTP request as a feasible attack under static scrutinization. First, we adopt a fast request-reorganization algorithm to transform an HTTP request into the form of interface:payload pair for further alignment of structural components which can reveal the processing logic of the target program. Then, we build a dual-channel attention-based circulant convolution neural network (DualAC<inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><msub><mrow></mrow><mn>2</mn></msub></semantics></math></inline-formula>NN) to integrate the attack feasibility estimation into the alert decision, by comprehensively considering the interface sensitivity, payload maliciousness, and their bipartite compatibility. Experiments on a real-world dataset show that the proposed method significantly reduces invalid alerts by around 86.37% and over 61.64% compared to a rule-based commercial WAF and several state-of-the-art methods, along with retaining a detection rate at 97.89% and a lower time overhead, which indicates that our approach can effectively mitigate alert fatigue from the detection perspective. |
| first_indexed | 2024-03-09T19:26:24Z |
| format | Article |
| id | doaj.art-facec535a9bd4464a8b3439d4984453e |
| institution | Directory Open Access Journal |
| issn | 2073-8994 |
| language | English |
| last_indexed | 2024-03-09T19:26:24Z |
| publishDate | 2022-10-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Symmetry |
| spelling | doaj.art-facec535a9bd4464a8b3439d4984453e2023-11-24T02:53:03ZengMDPI AGSymmetry2073-89942022-10-011410213810.3390/sym14102138DualAC<sub>2</sub>NN: Revisiting and Alleviating Alert Fatigue from the Detection PerspectiveGang Yang0Chaojing Tang1Xingtong Liu2College of Electronic Science and Technology, National University of Defense Technology, Changsha 410073, ChinaCollege of Electronic Science and Technology, National University of Defense Technology, Changsha 410073, ChinaCollege of Electronic Science and Technology, National University of Defense Technology, Changsha 410073, ChinaThe exponential expansion of Internet interconnectivity has led to a dramatic increase in cyber-attack alerts, which contain a considerable proportion of false positives. The overwhelming number of false positives cause tremendous resource consumption and delay responses to the really severe incidents, namely, alert fatigue. To cope with the challenge from alert fatigue, we focus on enhancing the capability of detectors to reduce the generation of false alerts from the detection perspective. The core idea of our work is to train a machine-learning-based detector to grasp the empirical intelligence of security analysts to estimate the feasibility of an incoming HTTP request to cause substantial threats, and integrate the estimation into the detection stage to reduce false alarms. To this end, we innovatively introduce the concept of attack feasibility to characterize the composition rationality of an inbound HTTP request as a feasible attack under static scrutinization. First, we adopt a fast request-reorganization algorithm to transform an HTTP request into the form of interface:payload pair for further alignment of structural components which can reveal the processing logic of the target program. Then, we build a dual-channel attention-based circulant convolution neural network (DualAC<inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><msub><mrow></mrow><mn>2</mn></msub></semantics></math></inline-formula>NN) to integrate the attack feasibility estimation into the alert decision, by comprehensively considering the interface sensitivity, payload maliciousness, and their bipartite compatibility. Experiments on a real-world dataset show that the proposed method significantly reduces invalid alerts by around 86.37% and over 61.64% compared to a rule-based commercial WAF and several state-of-the-art methods, along with retaining a detection rate at 97.89% and a lower time overhead, which indicates that our approach can effectively mitigate alert fatigue from the detection perspective.https://www.mdpi.com/2073-8994/14/10/2138alert fatiguenetwork securityintrusion detectionmalicious HTTP requestmachine learning |
| spellingShingle | Gang Yang Chaojing Tang Xingtong Liu DualAC<sub>2</sub>NN: Revisiting and Alleviating Alert Fatigue from the Detection Perspective Symmetry alert fatigue network security intrusion detection malicious HTTP request machine learning |
| title | DualAC<sub>2</sub>NN: Revisiting and Alleviating Alert Fatigue from the Detection Perspective |
| title_full | DualAC<sub>2</sub>NN: Revisiting and Alleviating Alert Fatigue from the Detection Perspective |
| title_fullStr | DualAC<sub>2</sub>NN: Revisiting and Alleviating Alert Fatigue from the Detection Perspective |
| title_full_unstemmed | DualAC<sub>2</sub>NN: Revisiting and Alleviating Alert Fatigue from the Detection Perspective |
| title_short | DualAC<sub>2</sub>NN: Revisiting and Alleviating Alert Fatigue from the Detection Perspective |
| title_sort | dualac sub 2 sub nn revisiting and alleviating alert fatigue from the detection perspective |
| topic | alert fatigue network security intrusion detection malicious HTTP request machine learning |
| url | https://www.mdpi.com/2073-8994/14/10/2138 |
| work_keys_str_mv | AT gangyang dualacsub2subnnrevisitingandalleviatingalertfatiguefromthedetectionperspective AT chaojingtang dualacsub2subnnrevisitingandalleviatingalertfatiguefromthedetectionperspective AT xingtongliu dualacsub2subnnrevisitingandalleviatingalertfatiguefromthedetectionperspective |