Internet Archive Scholar

Time-Window Group-Correlation Support vs. Individual Features: A Detection of Abnormal Users [article]

Lun-Pin Yuan, Euijin Choo, Ting Yu, Issa Khalil, Sencun Zhu
2020 arXiv   pre-print

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (2.0 MB)
https://web.archive.org/web/20210103065249/https://arxiv.org/pdf/2012.13971v1.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2021; you can also visit the original URL. The file type is application/pdf.

Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will wrongly report many normal users
more » ... s anomalies on busy days, which, in turn, lead to high false positive rate. In this paper, we propose ACOBE, an Anomaly detection method based on COmpound BEhavior, which takes into consideration long-term patterns and group behaviors. ACOBE leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list. Our evaluation shows that ACOBE outperforms prior work by a large margin in terms of precision and recall, and our case study demonstrates that ACOBE is applicable in practice for cyberattack detection.
arXiv:2012.13971v1 fatcat:7ajtgcengvhidhkll6voi53ow4
Open Access
Citation

Lun-Pin Yuan, Euijin Choo, Ting Yu, Issa Khalil, Sencun Zhu. "Time-Window Group-Correlation Support vs. Individual Features: A Detection of Abnormal Users." arXiv (2020)