December 2014 — December 2017
Today’s cyber-security analysts (CSAs) suffer from an over-abundance of false positives which continuously interrupt their normal operations, leading to several inefficiencies. First, CSAs distrust the accuracy of security alert mechanisms, leading them to manually assess threats which is impossible to do well because of the high rate of alerts. Second, because of high false positive threat alert mechanisms, CSAs are diverted by noise from real threats which stay “hidden” within the plethora of false alerts. In our ASSERT project, we propose to develop the fundamental theory required to (i) develop a database of alerts and their eventual classification as real vs. false positives and the context in which those alerts were generated, (ii) develop the methods needed to build a human-understandable probabilistic rule model that distinguishes between alerts that are real vs. those that are false positives, (iii) develop a statistical predictive logic that is good at predictive classification of alerts as real vs. false positives which may be less understandable than the methods in (ii), and finally (iv) develop a hybrid logic that brings together both the power of explainable, human-understandable alert explanation and action logic, together with the power of statistical methods so as to get the best of both worlds. Our ASSERT project will propose different methods to implement these techniques and assess them on both synthetic and real-world data.