Fusing Security Alerts Improves Cyber-Security: An Alert Normalization Framework for Heterogeneous Devices

With the rapid development of network technologies, cyberspace security is facing increasingly complex threats. To detect and respond to the rapidly growing number of network attacks, many security devices are widely adopted. However, a single security device often detects network attacks based on a single algorithm or some pre-defined features, resulting in a large number of false positives and false negatives in the security alerts it generates. Hence, many heterogeneous security devices are normally used; and fusing the alerts from these devices is an effective way to improve the quality of security alerts. As the formats or even the contents of the reported alerts are quite different, it has become a severe problem to fuse these alerts in practice. To address this problem, we propose an alert normalization framework in this paper for multi-source heterogeneous devices, which can convert different alert types reported by heterogeneous devices into a unified attack classification system automatically, making it possible to jointly analyze these alerts. Our framework extracts keywords describing each attack type by calculating the TF-IDF value, and then uses the normalized TF-IDF value as a weight to predict which attack type the alert belongs to. Experiments on 67,957 security alerts obtained from 15 security devices show that our method has good performance and is well interpretable. In addition, it can predict unseen alerts with a high accuracy of 0.65.