DeepDRAC: Disposition Recommendation for Alert Clusters Based on Security Event Patterns

In the security operation center, false positive alerts generated by security devices overwhelm security operators, leading to alert fatigue and inefficiency in identifying real threats. This paper introduces DeepDRAC, a disposition recommendation method for alert clusters that is based on security event patterns. Our main idea is to reconstruct isolated alerts into security events and capture their essential threat characteristics as patterns. By recommending pattern information, we enable batch interpretable disposal of alerts. First, DeepDRAC aggregates correlated alerts to a graph, representing a security event. Then, it extracts the features of the security event from two aspects: basic features via statistical methods and detailed features via a carefully designed Graph Neural Network (GNN) that focuses on edge features. Since many false alerts triggered by the same cause often recur in a fixed pattern, DeepDRAC translates basic features into interpretable descriptors to define the basic pattern, whereas GNN embeddings complement detailed semantic information, serving as the detailed pattern, together forming the pattern of the security event. The pattern describes the critical information of the security event, so security events with the same pattern are clustered for batch processing. Finally, with few manually labeled security events, DeepDRAC can conduct automatic disposition recommendations for newly arrived alerts, significantly reducing the workload of alert analysis. We evaluate our approach on two benchmark datasets (i.e., DARPA 1999 and CIC-IDS2017) and a real-world dataset from a large power company. The extensive experimental results demonstrate that our approach can alleviate alert fatigue more efficiently and accurately than the two state-of-the-art defense approaches can.