The goal of intrusion detection systems (IDS) is to detect malicious behavior. Such systems will generate alerts, which SOC analysts must triage and analyze. A known problem in SOC environment is an unmanageable number of false alerts, resulting in what is known as alarm fatigue among the analysts. The goal of this project is to apply machine learning techniques to alerts generated by other IDS in order to reduce alerts to smaller and more abstract sets of "meta-alerts". Projects can take multiple directions and multiple projects can be defined, e.g.:
- Alert correlation: combine/cluster alerts for the same security event (e.g. by clustering)
- Alert fusion and multi-stage detection: Fusion of alerts into meta-alerts in order to achieve multi-stage detection where different alerts belong to different stages of the same attack. This could e.g. utilize concepts such as cyber kill chain and the Mitre ATT&CK matrix.
- Alert prioritization/triage: initial stages of alert triage in order to use ML to prioritize the most important alerts.
Projects related to these topics will require datasets of alerts to train and test the machine learning models on. One could either use existing datasets or generate it through attack simulation utilizing existing IDS.
It is possible to cooperate with the Norwegian Defence Research Establishment (FFI) on this project, which may require a Norwegian security clearance.