Go to OpenReview Archive homepageReducing False Alarms in Cyber Attack Detection by Using Support Vector Data Description
Abstract: Continual rise in cyber attacks against enterprises indicates that traditional signature-based approaches for attack de- tection are insufficient. It is important to develop effective signature-less data-mining approaches for detecting attacks in enterprise networks. We apply Support Vector Data De- scription (SVDD), a single-class classification technique, for attack detection. On an enterprise network data set, we show that a single SVDD model can lead to a large number of false alarms when the training data set contains multi- ple disjoint clusters. To address this issue, we propose a novel attack detection approach that combines clustering with SVDD for attack detection. We demonstrate the prob- lem and the effectiveness of our approach in reducing the false alarms on a toy data set. Further, we present an ex- tensive evaluation of our approach on a real-world enterprise network data set. Our approach includes an efficient way of tuning the SVDD model hyperparameter and uses a fast training algorithm. This enables our method to be prac- tically usable in the enterprise settings that demand fast processing speed and automation.
Loading