Time-Window Based Group-Behavior Supported Method for Accurate Detection of Anomalous Users

Lun Pin Yuan, Euijin Choo, Ting Yu, Issa Khalil, Sencun Zhu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations

Abstract

Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will wrongly report many normal users as anomalies on busy days, which, in turn, lead to high false positive rate. In this paper, we propose ACOBE, an Anomaly detection method based on COmpound BEhavior, which takes into consideration long-term patterns and group behaviors. ACOBE leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list. Our evaluation shows that ACOBE outperforms prior work by a large margin in terms of precision and recall, and our case study demonstrates that ACOBE is applicable in practice for cyberattack detection.

Original languageEnglish (US)
Title of host publicationProceedings - 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2021
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages250-262
Number of pages13
ISBN (Electronic)9781665435727
DOIs
StatePublished - Jun 2021
Event51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2021 - Virtual, Online, Taiwan, Province of China
Duration: Jun 21 2021Jun 24 2021

Publication series

NameProceedings - 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2021

Conference

Conference51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2021
Country/TerritoryTaiwan, Province of China
CityVirtual, Online
Period6/21/216/24/21

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Time-Window Based Group-Behavior Supported Method for Accurate Detection of Anomalous Users'. Together they form a unique fingerprint.

Cite this