Time-Window Based Group-Behavior Supported Method for Accurate Detection of Anomalous Users

Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will wrongly report many normal users as anomalies on busy days, which, in turn, lead to high false positive rate. In this paper, we propose ACOBE, an Anomaly detection method based on COmpound BEhavior, which takes into consideration long-term patterns and group behaviors. ACOBE leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list. Our evaluation shows that ACOBE outperforms prior work by a large margin in terms of precision and recall, and our case study demonstrates that ACOBE is applicable in practice for cyberattack detection.

Files

Metadata

Work Title Time-Window Based Group-Behavior Supported Method for Accurate Detection of Anomalous Users
Access
Open Access
Creators
  1. Lun Pin Yuan
  2. Euijin Choo
  3. Ting Yu
  4. Issa Khalil
  5. Sencun Zhu
Keyword
  1. Computer Security
  2. Anomaly Detection
  3. Machine Learning
License In Copyright (Rights Reserved)
Work Type Article
Publisher
  1. 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Publication Date June 1, 2021
Publisher Identifier (DOI)
  1. https://doi.org/10.1109/DSN48987.2021.00038
Deposited February 27, 2023

Versions

Analytics

Collections

This resource is currently not in any collection.

Work History

Version 1
published

  • Created
  • Added AnomalyDetectionDSN2021.pdf
  • Added Creator Lun Pin Yuan
  • Added Creator Euijin Choo
  • Added Creator Ting Yu
  • Added Creator Issa Khalil
  • Added Creator Sencun Zhu
  • Published
  • Updated Keyword, Publisher Show Changes
    Keyword
    • Computer Security, Anomaly Detection, Machine Learning
    Publisher
    • 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
  • Updated