In the cyber security operations of a typical organization, data from multiple sources are monitored, and when certain conditions in the data are met, an alert is generated in a Security Information and Event Management system (SIEM). Analysts inspect these alerts to decide if any deserve promo- tion to an event requiring further scrutiny. This triage process is manual, time-consuming, and detracts from the in-depth investigation of events. Alert-triage uses supervised machine learning to automatically prioritize these alerts.
- In particular, it utilizes active learning to make efficient use of the pool of unlabeled alerts, thereby improving the performance of our ranking models over passive learning.