Cyber security attacks are becoming ever more frequent and sophisticated. Enterprises often deploy several security\nprotection mechanisms, such as anti-virus software, intrusion detection/prevention systems, and firewalls, to protect\ntheir critical assets against emerging threats. Unfortunately, these protection systems are typically ââ?¬Ë?noisyââ?¬â?¢, e.g., regularly\ngenerating thousands of alerts every day. Plagued by false positives and irrelevant events, it is often neither practical\nnor cost-effective to analyze and respond to every single alert. The main challenges faced by enterprises are to extract\nimportant information from the plethora of alerts and to infer potential risks to their critical assets. A better\nunderstanding of risks will facilitate effective resource allocation and prioritization of further investigation. In this\npaper, we present MUSE, a system that analyzes a large number of alerts and derives risk scores by correlating diverse\nentities in an enterprise network. Instead of considering a risk as an isolated and static property pertaining only to\nindividual users or devices, MUSE exploits a novel mutual reinforcement principle and models the dynamics of risk\nbased on the interdependent relationship among multiple entities. We apply MUSE on real-world network traces and\nalerts from a large enterprise network consisting of more than 10,000 nodes and 100,000 edges. To scale up to such\nlarge graphical models, we formulate the algorithm using a distributed memory abstraction model that allows\nefficient in-memory parallel computations on large clusters. We implement MUSE on Apache Spark and demonstrate\nits efficacy in risk assessment and flexibility in incorporating a wide variety of datasets
Loading....