Prioritizing Antivirus Alerts on Internal Enterprise Machines

Shay Sakazi, Yuval Elovici, Asaf Shabtai

International Conference on Detection of Intrusions and Malware, and …, 2022

Security analysts in large enterprises must handle hundreds or even thousands of alerts raised by antivirus (AV) solutions each day. Thus, a mechanism for analyzing, correlating, and prioritizing these alerts (events) is essential. In this paper, we present an unsupervised machine learning-based method for prioritizing AV alerts. The proposed method converts time windows that include sensitive (important) events to a vector of features and utilizes a set of autoencoder (AE) models, each of which is trained to rank a specific type of sensitive event; then it aggregates their results to identify abnormal and potentially critical machines (i.e., machine that require further examination). We evaluate our proposed method using real McAfee ePO datasets collected from a large organization over a four-month period. Security analysts manually inspected the machines for which an alert was raised by the proposed method, and on …