In collaboration with IBM
H Grushka-Cohen, O Sofer, O Biller, B Shapira, L Rokach
Proceedings of the 25th ACM International on Conference on Information and Knowledge Management
Security systems for databases produce numerous alerts aboutanomalous activities and policy rule violations. Prioritizing thesealerts will help security personnel focus their efforts on the mosturgent alerts. Currently, this is done manually by security expertsthat rank the alerts or define static risk scoring rules. Existingsolutions are expensive, consume valuable expert time, and do notdynamically adapt to changes in policy.Adopting a learning approach for ranking alerts is complex due tothe efforts required by security experts to initially train such amodel. The more features used, the more accurate the model islikely to be, but this will require the collection of a greater amountof user feedback and prolong the calibration process. In this paper,we propose CyberRank, a novel algorithm for automatic preferenceelicitation that is effective for situations with limited experts’ timeand outperforms other algorithms for initial training of the system.We generate synthetic examples and annotate them using a modelproduced by Analytic Hierarchical Processing (AHP) to bootstrapa preference learning algorithm. We evaluate different approacheswith a new dataset of expert ranked pairs of database transactions,in terms of their risk to the organization. We evaluated usingmanual risk assessments of transaction pairs, CyberRank outperforms all other methods for cold start scenario with error reduction of 20%.