TLDR: This research introduces a novel graph-based method to improve how Security Operations Centers (SOCs) analyze and prioritize security alerts. By grouping related alerts into “alert graphs” based on shared properties and time, and then using Graph Matching Networks (GMNs) to compare these groups with historical incidents, the system helps analysts quickly understand complex attack patterns and reduce alert fatigue. The approach shows strong performance for medium-sized attack scenarios, offering better contextualization than traditional methods.
Security Operations Centers (SOCs) face a monumental challenge: sifting through an overwhelming volume of security alerts daily. This deluge often leads to ‘alert fatigue,’ where analysts become desensitized and may miss genuine threats amidst a sea of false positives. Effectively understanding the context of these alerts is crucial for quickly distinguishing real dangers from benign activities and prioritizing what needs immediate attention.
A new research paper, titled “A Graph-Based Approach to Alert Contextualisation in Security Operations Centres,” proposes an innovative solution to this persistent problem. Authored by Magnus Wiik Eckhoff, Peter Marius Flydal, Siem Peters, Martin Eian, Jonas Halvorsen, Vasileios Mavroeidis, and Gudmund Grov, the paper introduces a graph-based method designed to enhance alert contextualization.
The core idea is to aggregate individual security alerts into ‘graph-based alert groups.’ Imagine each alert as a point (a node) in a network, and connections (edges) between these points represent relationships within specific timeframes. For instance, if multiple alerts involve the same IP address or username within a short period, they are linked. This approach allows analysts to view and analyze attack steps at a higher, more abstract level, which is often more effective than examining alerts in isolation.
The researchers highlight that while individual indicators of compromise (IoCs) like IP addresses are easily changed by attackers, behavioral patterns are much harder to alter. By connecting alerts in a structured graph, the system can capture these high-level behavioral patterns, making it easier to identify and track sophisticated threats.
To further empower analysts, the paper explores the use of Graph Matching Networks (GMNs). These advanced machine learning models are employed to correlate newly formed alert groups with a knowledge base of historical incidents. This means that if a new alert group matches a pattern seen in a past attack, analysts can immediately gain insights from how that previous incident was handled, including relevant cyber threat intelligence (CTI) or the attack phase it belongs to. This provides a powerful tool for rapid analysis and response.
The process of building these alert graphs involves several steps. Alerts, arriving chronologically, become nodes. Specific ‘timeline-defining properties’ such as IP addresses, hostnames, or usernames are extracted from these alerts. If consecutive alerts share these properties, an edge is created between them. These edges are not just simple links; they are directed, weighted by the time difference between alerts, and carry features indicating what property linked them. This effectively formalizes the ‘nested pivoting’ process that human analysts often use to investigate alerts.
Given that a ‘global alert graph’ containing all alerts would be too vast and noisy, the system then creates smaller, more manageable ‘graph-based alert groups.’ This is achieved by introducing a ‘delta cut-off time.’ Any edges between alerts that are chronologically too far apart are removed, isolating coherent subgraphs that represent single attack steps.
The evaluation of this graph-based approach used the AIT Log Data Set V2.0, which contains over 2.6 million labeled alerts. The results were promising. In terms of ‘cluster purity’ (how well alerts in a group belong to the same attack step) and ‘silhouette score’ (how well groups are separated from each other), the graph-based method significantly outperformed a simpler, purely time-based alert aggregation technique. This indicates that the graph-based groups are purer, more recognizable, and better separated, making them ideal for machine learning applications.
When it came to matching alert groups using GMNs, the model successfully distinguished between related and unrelated attack groups for medium-sized incidents, such as ‘escalated_sudo_command’ and ‘attacker_change_user’ attacks. However, the researchers noted scalability challenges with very large graphs, like those generated by ‘wpscan’ attacks, due to the computational cost of GMNs.
Also Read:
- Large Language Models Transform Security Operations Centers: A Survey of Capabilities and Future Directions
- GTHNA: A New Framework for Detecting Anomalies in Graph Data
Despite these challenges, the research demonstrates a significant step forward in addressing alert fatigue and improving threat detection in SOCs. By providing a formal method for constructing meaningful graph-based alert groups and showcasing the capability of Graph Matching Networks to correlate these groups with historical incidents, the paper lays the groundwork for more abstract, behavior-oriented analysis and automated contextualization of security alerts. For more in-depth technical details, you can refer to the full research paper available here.
