An enterprise today deploys multiple security middleboxes such as firewalls,
IDS, IPS, etc. in its network to collect different kinds of events related to
threats and attacks. These events are streamed into a SIEM (Security
Information and Event Management) system for analysts to investigate and
respond quickly with appropriate actions. However, the number of events
collected for a single enterprise can easily run into hundreds of thousands per
day, much more than what analysts can investigate under a given budget
constraint (time). In this work, we look into the problem of prioritizing
suspicious events or anomalies to analysts for further investigation. We
develop SIERRA, a system that processes event logs from multiple and diverse
middleboxes to detect and rank anomalous activities. SIERRA takes an
unsupervised approach and therefore has no dependence on ground truth data.
Different from other works, SIERRA defines contexts, that help it to provide
visual explanations of highly-ranked anomalous points to analysts, despite
employing unsupervised models. We evaluate SIERRA using months of logs from
multiple security middleboxes of an enterprise network. The evaluations
demonstrate the capability of SIERRA to detect top anomalies in a network while
outperforming naive application of existing anomaly detection algorithms as
well as a state-of-the-art SIEM-based anomaly detection solution.
