Related papers: AlertBERT: A noise-robust alert grouping framework for simultaneous cyber attacks

AlertBERT: A noise-robust alert grouping framework for simultaneous cyber attacks

URL: http://arxiv.org/abs/2602.06534v1
Date: Fri, 06 Feb 2026 09:39:47 GMT
Title: AlertBERT: A noise-robust alert grouping framework for simultaneous cyber attacks
Authors: Lukas Karner, Max Landauer, Markus Wurzenberger, Florian Skopik,
Abstract summary: High numbers of security alerts issued by intrusion detection systems lead to alert fatigue among analysts.<n>Time-based alert grouping solutions are unsuitable for large scale computer networks characterised by high levels of false positive alerts and simultaneously occurring attacks.<n>We propose AlertBERT, a self-language framework designed to group alerts from isolated or concurrent attacks in noisy environments.
Score: 3.0540687763044123
License: http://creativecommons.org/licenses/by-nc-sa/4.0/
Abstract: Automated detection of cyber attacks is a critical capability to counteract the growing volume and sophistication of cyber attacks. However, the high numbers of security alerts issued by intrusion detection systems lead to alert fatigue among analysts working in security operations centres (SOC), which in turn causes slow reaction time and incorrect decision making. Alert grouping, which refers to clustering of security alerts according to their underlying causes, can significantly reduce the number of distinct items analysts have to consider. Unfortunately, conventional time-based alert grouping solutions are unsuitable for large scale computer networks characterised by high levels of false positive alerts and simultaneously occurring attacks. To address these limitations, we propose AlertBERT, a self-supervised framework designed to group alerts from isolated or concurrent attacks in noisy environments. Thereby, our open-source implementation of AlertBERT leverages masked-language-models and density-based clustering to support both real-time or forensic operation. To evaluate our framework, we further introduce a novel data augmentation method that enables flexible control over noise levels and simulates concurrent attack occurrences. Based on the data sets generated through this method, we demonstrate that AlertBERT consistently outperforms conventional time-based grouping techniques, achieving superior accuracy in identifying correct alert groups.

Related papers

SAFE-QAQ: End-to-End Slow-Thinking Audio-Text Fraud Detection via Reinforcement Learning [52.29460857893198]
Existing fraud detection methods rely on transcribed text, suffering from ASR errors and missing crucial acoustic cues like vocal tone and environmental context.<n>We propose SAFE-QAQ, an end-to-end comprehensive framework for audio-based slow-thinking fraud detection.<n>Our framework introduces a dynamic risk assessment framework during live calls, enabling early detection and prevention of fraud.
arXiv Detail & Related papers (2026-01-04T06:09:07Z)
SecInfer: Preventing Prompt Injection via Inference-time Scaling [54.21558811232143]
We propose emphSecInfer, a novel defense against prompt injection attacks built on emphinference-time scaling<n>We show that SecInfer effectively mitigates both existing and adaptive prompt injection attacks, outperforming state-of-the-art defenses as well as existing inference-time scaling approaches.
arXiv Detail & Related papers (2025-09-29T16:00:41Z)
A Graph-Based Approach to Alert Contextualisation in Security Operations Centres [0.058633603884542605]
This paper proposes a graph-based approach to enhance alert contextualisation in a SOC by aggregating alerts into graph-based alert groups.<n>By grouping related alerts, we enable analysis at a higher abstraction level, capturing attack steps more effectively than individual alerts.<n>To show that our format is well suited for downstream machine learning methods, we employ Graph Matching Networks (GMNs) to correlate incoming alert groups with historical incidents.
arXiv Detail & Related papers (2025-09-16T10:20:39Z)
Automated Alert Classification and Triage (AACT): An Intelligent System for the Prioritisation of Cybersecurity Alerts [0.0]
AACT learns from analysts' triage actions on cybersecurity alerts.<n>It accurately predicts triage decisions in real time.<n>This reduces the SOC queue allowing analysts to focus on the most severe, relevant or ambiguous threats.
arXiv Detail & Related papers (2025-05-14T23:02:32Z)
CANTXSec: A Deterministic Intrusion Detection and Prevention System for CAN Bus Monitoring ECU Activations [53.036288487863786]
We propose CANTXSec, the first deterministic Intrusion Detection and Prevention system based on physical ECU activations.<n>It detects and prevents classical attacks in the CAN bus, while detecting advanced attacks that have been less investigated in the literature.<n>We prove the effectiveness of our solution on a physical testbed, where we achieve 100% detection accuracy in both classes of attacks while preventing 100% of FIAs.
arXiv Detail & Related papers (2025-05-14T13:37:07Z)
Forecasting Attacker Actions using Alert-driven Attack Graphs [1.3812010983144802]
This paper builds an action forecasting capability on top of the alert-driven AG framework for predicting the next likely attacker action. We also modify the framework to build AGs in real time, as new alerts are triggered. This way, we convert alert-driven AGs into an early warning system that enables analysts circumvent ongoing attacks and break the cyber killchain.
arXiv Detail & Related papers (2024-08-19T11:04:47Z)
Carbon Filter: Real-time Alert Triage Using Large Scale Clustering and Fast Search [6.830322979559498]
"Alert fatigue" is one of the biggest challenges faced by the Security Operations Center (SOC) today. We present Carbon Filter, a statistical learning based system that dramatically reduces the number of alerts analysts need to manually review.
arXiv Detail & Related papers (2024-05-07T22:06:24Z)
FreqFed: A Frequency Analysis-Based Approach for Mitigating Poisoning Attacks in Federated Learning [98.43475653490219]
Federated learning (FL) is susceptible to poisoning attacks. FreqFed is a novel aggregation mechanism that transforms the model updates into the frequency domain. We demonstrate that FreqFed can mitigate poisoning attacks effectively with a negligible impact on the utility of the aggregated model.
arXiv Detail & Related papers (2023-12-07T16:56:24Z)
The Adversarial Implications of Variable-Time Inference [47.44631666803983]
We present an approach that exploits a novel side channel in which the adversary simply measures the execution time of the algorithm used to post-process the predictions of the ML model under attack. We investigate leakage from the non-maximum suppression (NMS) algorithm, which plays a crucial role in the operation of object detectors. We demonstrate attacks against the YOLOv3 detector, leveraging the timing leakage to successfully evade object detection using adversarial examples, and perform dataset inference.
arXiv Detail & Related papers (2023-09-05T11:53:17Z)
That Escalated Quickly: An ML Framework for Alert Prioritization [2.5845893156827158]
We present That Escalated Quickly (TEQ), a machine learning framework that reduces alert fatigue with minimal changes to SOC. On real-world data, the system is able to reduce the time it takes to respond to actionable incidents by $22.9%$, suppress $54%$ of false positives with a $95.1%$ detection rate, and reduce the number of alerts an analyst needs to investigate within singular incidents by $14%$.
arXiv Detail & Related papers (2023-02-13T19:20:52Z)
Bayesian Optimization with Machine Learning Algorithms Towards Anomaly Detection [66.05992706105224]
In this paper, an effective anomaly detection framework is proposed utilizing Bayesian Optimization technique. The performance of the considered algorithms is evaluated using the ISCX 2012 dataset. Experimental results show the effectiveness of the proposed framework in term of accuracy rate, precision, low-false alarm rate, and recall.
arXiv Detail & Related papers (2020-08-05T19:29:35Z)

This list is automatically generated from the titles and abstracts of the papers in this site.