Cross-Vendor Knowledge Transfer for Managed Security Services with Triplet Network

Managed security services detect incidents, i.e., successful attacks such as malware infection, in real time from a large number of alerts based on vendors' and security operations center's (SOC's) detection rules. To immediately find incidents, professional analysts in a SOC prioritize alerts if their indicators, i.e., meta-information of detection rules in alerts, are highly correlated with incidents. Indicators are typically divided into two priority levels, i.e., primary and secondary. However, levels of new indicators are difficult to accurately determine with a conventional system. Such a system determines an indicator's level as primary if the conditional probability of incidents occurring given an observation of the indicator's alert is high. Therefore, we propose a system for accurately determining levels of new indicators by focusing on alerts not recognized as incidents. With this system, we analyze the correlation between indicators made by different vendors then transfer knowledge of incidents between different vendors with a triplet network. We evaluate the effectiveness of the proposed system using 4,919,791 alerts collected from a large-scale SOC for one month. Our system identified 24.3% more primary indicators undiscovered at the time of data collection than a system without correlation analysis at a 5% false positive rate.