Mell, P.
and Harang, R.
(2014),
Reducing the Cognitive Load on Analysts Through Hamming Distance Based Alert Aggregation, International Journal of Network Security & Its Applications, [online], https://doi.org/10.5121/ijnsa.2014.6503
(Accessed April 26, 2024)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Reducing the Cognitive Load on Analysts Through Hamming Distance Based Alert Aggregation
Published
Author(s)
, Richard Harang
Abstract
Previous work introduced the idea of grouping alerts at a Hamming distance of 1 to achieve alert aggregation; such aggregated meta-alerts were shown to increase alert interpret-ability. However, a mean of 84,023 daily Snort alerts were reduced to a still formidable 14,099 meta-alerts. In this work, we address this limitation by investigating several approaches that all contribute towards reducing the burden on the analyst and providing timely analysis. We explore minimizing the number of both alerts and data fields by aggregating at Hamming distances greater than 1. We show how increasing bin sizes can improve aggregation rates. And we provide a new aggregation algorithm that operates up to an order of magnitude faster at Hamming distance 1. Lastly, we demonstrate the broad applicability of this approach through empirical analysis of Windows security alerts, Snort alerts, netflow records, and DNS logs.Citation
International Journal of Network Security & Its Applications
Volume
6
Issue
5
Pub Type
Journals
Download Paper
Keywords
alert aggregation, cognitive load, Hamming distance, hypergraphs, security logs
Citation
Created September 30, 2014, Updated November 10, 2018