TY - GEN
T1 - Time-Window Based Group-Behavior Supported Method for Accurate Detection of Anomalous Users
AU - Yuan, Lun Pin
AU - Choo, Euijin
AU - Yu, Ting
AU - Khalil, Issa
AU - Zhu, Sencun
N1 - Publisher Copyright:
© 2021 IEEE.
PY - 2021/6
Y1 - 2021/6
N2 - Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will wrongly report many normal users as anomalies on busy days, which, in turn, lead to high false positive rate. In this paper, we propose ACOBE, an Anomaly detection method based on COmpound BEhavior, which takes into consideration long-term patterns and group behaviors. ACOBE leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list. Our evaluation shows that ACOBE outperforms prior work by a large margin in terms of precision and recall, and our case study demonstrates that ACOBE is applicable in practice for cyberattack detection.
AB - Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will wrongly report many normal users as anomalies on busy days, which, in turn, lead to high false positive rate. In this paper, we propose ACOBE, an Anomaly detection method based on COmpound BEhavior, which takes into consideration long-term patterns and group behaviors. ACOBE leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list. Our evaluation shows that ACOBE outperforms prior work by a large margin in terms of precision and recall, and our case study demonstrates that ACOBE is applicable in practice for cyberattack detection.
UR - http://www.scopus.com/inward/record.url?scp=85114158361&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85114158361&partnerID=8YFLogxK
U2 - 10.1109/DSN48987.2021.00038
DO - 10.1109/DSN48987.2021.00038
M3 - Conference contribution
AN - SCOPUS:85114158361
T3 - Proceedings - 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2021
SP - 250
EP - 262
BT - Proceedings - 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2021
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2021
Y2 - 21 June 2021 through 24 June 2021
ER -