Exploratory Security Analytics for Anomaly Detection


The huge number of alerts generated by network-based defense systems prevents de- tailed manual inspections of security events. Existing proposals for automatic alerts analysis work well in relatively stable and homogeneous environments, but in modern networks, that are characterized by extremely complex and dynamic behaviors, understanding which approaches can be effective requires exploratory data analysis and descriptive modeling. We propose a novel framework for automatically investigating temporal trends and pat- terns of security alerts with the goal of understanding whether and which anomaly detection approaches can be adopted for identifying relevant security events. Several examples re- ferring to a real large network show that, despite the high intrinsic dynamism of the system, the proposed framework is able to extract relevant descriptive statistics that allow to de- termine the effectiveness of popular anomaly detection approaches on different alerts groups.

Elsevier Computers & Security Journal