Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Reducing the Cognitive Load on Analysts Through Hamming Distance Based Alert Aggregation

Published

Author(s)

Peter M. Mell, Richard Harang

Abstract

Previous work introduced the idea of grouping alerts at a Hamming distance of 1 to achieve alert aggregation; such aggregated meta-alerts were shown to increase alert interpret-ability. However, a mean of 84,023 daily Snort alerts were reduced to a still formidable 14,099 meta-alerts. In this work, we address this limitation by investigating several approaches that all contribute towards reducing the burden on the analyst and providing timely analysis. We explore minimizing the number of both alerts and data fields by aggregating at Hamming distances greater than 1. We show how increasing bin sizes can improve aggregation rates. And we provide a new aggregation algorithm that operates up to an order of magnitude faster at Hamming distance 1. Lastly, we demonstrate the broad applicability of this approach through empirical analysis of Windows security alerts, Snort alerts, netflow records, and DNS logs.
Citation
International Journal of Network Security & Its Applications
Volume
6
Issue
5

Keywords

alert aggregation, cognitive load, Hamming distance, hypergraphs, security logs
Created September 30, 2014, Updated November 10, 2018