Hassan’s NoDoze Brings Triage to Security; PhD Student Presents Paper at NDSS Symposium
A large company or organization’s security team will see thousands of alerts in a week – the security firm FireEye puts the figure at 17,000, on average, far more than can easily or effectively be handled.
By using a system’s history to judge which activities are normal and which aren’t, Illinois Computer Science PhD student Wajih Ul Hassan has found a way to cut that load down to a manageable fraction. In a study conducted on a 200-computer enterprise network, Hassan cut the number of alerts that demanded attention by 84 percent.
“Intrusion detection systems fire a lot of alerts because they don’t know what the (real) attacks look like,” Hassan said. “This leads to a problem called threat alert fatigue where organizations or companies cannot act on all of these alerts because they don’t have enough staff or resources to do that.”
Hassan will present the results in a paper at the Network and Distributed System Security Symposium in San Diego, Calif., on Feb. 25. His co-authors include security scientist Shengjian Guo of Baidu X-Lab; Hassan’s advisor, Assistant Professor Adam Bates; and Ding Li, Zhengzhang Chen, Kangkook Jee, and Zhichun Li, all of NEC Laboratories America.
Hassan’s work was done in partnership with NEC Laboratories and funded in part by Bates’ 2018 NSF CAREER Award. Hassan’s research builds on Bates’ work with data provenance, which provides a detailed history of each system event in order to enhance security.
“Whenever an alert is fired in the system, we look into the history of alert, of how that alert came into the system,” Hassan said. “By looking into this history we can see if this activity is common or suspicious. And if this is not common, or if it is suspicious, then we need to look into this alert. Otherwise, we can just ignore it.”
Hassan's creation, which he calls NoDoze, sits on top of an intrusion detection system and judges how unusual many different types of events happening in a system are, assigning them anomaly scores based on the frequency with which related events have happened before. NoDoze then decides whether these events are suspicious or not by using a novel diffusion algorithm.
NoDoze, according to Bates, introduces the idea of triage to threat detection.
“Who needs urgent attention, what type of attention do they need, who can wait?” he said. “So basically, 84 percent of these alerts that are getting fired, they don’t need to be looked at.”
At work on the 200 machines at NEC Laboratories, NoDoze cut the workload created by the need for people to investigate and address threats by 90 hours week, according to the paper.
NoDoze does require serious computational power, Hassan and Bates say, but greatly cuts down on the time involved for a person to look at each threat to decide which ones pose potential harm. That task is so demanding and requires so much time, Bates said, that in reality many threats aren’t checked out.
“They’re not investigated. And that’s how we end up with news of data breach after data breach – things slip through the cracks,” he said.