Noise (un-important) alerts are generally considered a major challenge in intrusion detection systems/sensors because they require more analysts to review and may cause disruption to systems that are shut down to avoid the consequences of a compromise. However, in real-world situations, many alerts could be raised for automatic tasks being completed by some software or regular tasks by users doing their daily job. This paper proposes an approach to reduce the number of noise alerts, assuming that frequent long-term security alerts can be considered noise if their frequency is meeting some criteria, such as the minimum occurrence ratio. We prove that to effectively reduce the level of noise alerts in Network Detection and Response (NDR) systems, we are able to use simpler algorithms; sometimes, the answer is in simpler solutions, and not always in complex solutions. We study data from a real customer of a Danish NDR solution and propose an Apriori-based approach to find frequent noisy alerts. Our comparison of the detected noise before and after applying our solution shows high performance in reducing noise alerts for most of the alert types for a real customer. Our experiments show that our method can filter more than 40% of the alerts by setting the minimum occurrences to 70%. Moreover, our results show that we were able to filter out more than 90% for some alert categories.
Read full abstract