AlertBERT: A noise-robust alert grouping framework for simultaneous cyber attacks

TL;DR

AlertBERT is a noise-robust, self-supervised framework that improves alert grouping accuracy in cybersecurity by effectively handling false positives and concurrent attacks, using masked-language models and density-based clustering.

Contribution

We introduce AlertBERT, a novel self-supervised alert grouping framework that outperforms traditional methods in noisy, large-scale network environments with concurrent attacks.

Findings

AlertBERT achieves higher grouping accuracy than time-based methods.

The framework effectively handles false positives and concurrent attack alerts.

Our data augmentation method enables flexible noise level simulation.

Abstract

Automated detection of cyber attacks is a critical capability to counteract the growing volume and sophistication of cyber attacks. However, the high numbers of security alerts issued by intrusion detection systems lead to alert fatigue among analysts working in security operations centres (SOC), which in turn causes slow reaction time and incorrect decision making. Alert grouping, which refers to clustering of security alerts according to their underlying causes, can significantly reduce the number of distinct items analysts have to consider. Unfortunately, conventional time-based alert grouping solutions are unsuitable for large scale computer networks characterised by high levels of false positive alerts and simultaneously occurring attacks. To address these limitations, we propose AlertBERT, a self-supervised framework designed to group alerts from isolated or concurrent attacks in noisy environments. Thereby, our open-source implementation of AlertBERT leverages masked-language-models and density-based clustering to support both real-time or forensic operation. To evaluate our framework, we further introduce a novel data augmentation method that enables flexible control over noise levels and simulates concurrent attack occurrences. Based on the data sets generated through this method, we demonstrate that AlertBERT consistently outperforms conventional time-based grouping techniques, achieving superior accuracy in identifying correct alert groups.