On the Use of AutoML for Combating Alert Fatigue in Security Operations Centers

An overwhelming number of alerts - especially false ones - can desensitize analysts in security operations centers (SOC), possibly resulting in missed critical incidents and attacks going unnoticed. With inadequate alert monitoring, improper thresholds, and missing feedback loops as lead causes of alert fatigue, we investigate the use of automated machine learning to increase the efficiency of a SOC through automation of false alerts filtering. More specifically, we design a methodology to allow a safer use of AutoML to reduce false alerts, and validate this on a real-world case study. To be more precise, our approach is tailored to address datasets that exhibit limited instances of true positives, possess high dimensionality relative to their size, and demonstrate temporal fluctuations. We have identified diverse setups that provide comparable and reliably effective results in minimizing false positive alerts, all the while avoiding instances of false negatives. Furthermore, we provide valuable insights into the application of these automated frameworks within the realm of security.