"Alert fatigue" is one of the biggest challenges faced by the Security Operations Center (SOC) today, with analysts spending more than half of their time reviewing false alerts. Endpoint detection products raise alerts by pattern matching on event telemetry against behavioral rules that describe potentially malicious behavior, but can suffer from high false positives that distract from actual attacks. While alert triage techniques based on data provenance may show promise, these techniques can take over a minute to inspect a single alert, while EDR customers may face tens of millions of alerts per day; the current reality is that these approaches aren't nearly scalable enough for production environments. We present Carbon Filter, a statistical learning based system that dramatically reduces the number of alerts analysts need to manually review. Our approach is based on the observation that false alert triggers can be efficiently identified and separated from suspicious behaviors by examining the process initiation context (e.g., the command line) that launched the responsible process. Through the use of fast-search algorithms for training and inference, our approach scales to millions of alerts per day. Through batching queries to the model, we observe a theoretical maximum throughput of 20 million alerts per hour. Based on the analysis of tens of million alerts from customer deployments, our solution resulted in a 6-fold improvement in the Signal-to-Noise ratio without compromising on alert triage performance.

翻译："告警疲劳"是当前安全运营中心面临的最大挑战之一，分析师需花费超过半数工作时间审查虚假告警。端点检测产品通过将事件遥测数据与描述潜在恶意行为的行为规则进行模式匹配来生成告警，但可能因高误报率干扰对真实攻击的响应。基于数据溯源技术的告警分类方案虽具前景，但单一告警审查需时逾分钟，而EDR客户每日可能面对数千万条告警——当前现实是这些方法在生产环境中缺乏足够可扩展性。我们提出碳滤器系统，基于统计学习机制显著降低分析师需人工审查的告警数量。该方法基于以下观察：通过分析启动进程的上下文（如命令行），可高效识别虚假告警触发行为并将其与可疑行为分离。结合用于训练与推理的快速搜索算法，我们的方案可扩展至日均百万级告警处理量。通过批量化模型查询，理论上可达每小时两千万条告警的最大吞吐量。基于客户部署环境中数千万条告警的分析验证，该方案在维持告警分类性能的同时，将信噪比提升了6倍。