In recent years, user behavior anomaly detection has been gaining attention in cybersecurity. A crucial challenge that has been discussed in the literature is that supervised models that use vast amounts of data for t...
详细信息
ISBN:
(纸本)9781665482257
In recent years, user behavior anomaly detection has been gaining attention in cybersecurity. A crucial challenge that has been discussed in the literature is that supervised models that use vast amounts of data for training do not apply to real scenarios for anomalydetection. Within this context, the requirement to gather datasets with labeled behavior anomalies has proven to be a significant limiting factor for evaluating different models. This paper presents WEAPON, an unsupervised learning-based architecture for user behavior anomaly detection that requires a small amount of data for building behavior profiles considering the individuality of each user. WEAPON implements the weak supervision-based behavioranomaly labeling approach using Snorkel. When compared to other approaches, WEAPON proved to be more efficient, surpassing the ROC curve of the second best model by 4.31%. Furthermore, WEAPON outperforms rule-based methods by finding anomalies that an expert would not anticipate.
useranomalydetection, an important aspect of user Behaviour Analysis, is used to find anomalous user events from the event and network traffic log data. Traditional security mechanisms are not able to detect new/unk...
详细信息
ISBN:
(纸本)9781538624500
useranomalydetection, an important aspect of user Behaviour Analysis, is used to find anomalous user events from the event and network traffic log data. Traditional security mechanisms are not able to detect new/unknown types of anomalies as they do not incorporate contextual and behavioural aspects of the data for analysis. user Behaviour anomalydetection (UBAD) employs user behavioural patterns in context thereby achieving a higher detection rate. Log data employed for UBAD has multiple dimensions. With increase in dimensions (attributes), data gets sparse and the detection of anomalies becomes increasingly complex. For this reason, the single dimensional algorithms proposed for anomalydetection based on clustering, proximity and dimensional reduction do not work well on higher dimension data. OLAP based data analysis techniques provide efficient data slicing and aggregation operations crucial for multidimensional analytics along with multiscale visualisation for exploratory discovery. In this paper, an effective multidimensional process for UBAD is developed to detect anomalies using multi-dimensional statistical tests. An integral part of the process is the development of an OLAP Cube data model for event log data. The statistical efficiency of the UBAD process for different dimensions is investigated. On a real-life event log data, it is shown that the statistical efficiency of detection improves with the increased dimensionality of the tests: the true negative rate and the true positive rate show marked improvement. It is deduced that the computationally more expensive higher dimensional tests need to be employed in order to achieve better anomalydetection.
暂无评论