ADSAGE: Anomaly Detection in Sequences of Attributed Graph Edges applied to insider threat detection at fine-grained level

• URL: http://arxiv.org/abs/2007.06985v1
• Date: Tue, 14 Jul 2020 12:05:05 GMT
• Title: ADSAGE: Anomaly Detection in Sequences of Attributed Graph Edges applied to insider threat detection at fine-grained level
• Authors: Mathieu Garchery and Michael Granitzer
• Abstract summary: We introduce ADSAGE to detect anomalies in audit log events modeled as graph edges. Our method is the first to perform anomaly detection at edge level while supporting both edge sequences and attributes. We evaluate ADSAGE on authentication, email traffic and web browsing logs from the CERT insider threat datasets.
• Score: 0.5134435281973136
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Previous works on the CERT insider threat detection case have neglected graph and text features despite their relevance to describe user behavior. Additionally, existing systems heavily rely on feature engineering and audit data aggregation to detect malicious activities. This is time consuming, requires expert knowledge and prevents tracing back alerts to precise user actions. To address these issues we introduce ADSAGE to detect anomalies in audit log events modeled as graph edges. Our general method is the first to perform anomaly detection at edge level while supporting both edge sequences and attributes, which can be numeric, categorical or even text. We describe how ADSAGE can be used for fine-grained, event level insider threat detection in different audit logs from the CERT use case. Remarking that there is no standard benchmark for the CERT problem, we use a previously proposed evaluation setting based on realistic recall-based metrics. We evaluate ADSAGE on authentication, email traffic and web browsing logs from the CERT insider threat datasets, as well as on real-world authentication events. ADSAGE is effective to detect anomalies in authentications, modeled as user to computer interactions, and in email communications. Simple baselines give surprisingly strong results as well. We also report performance split by malicious scenarios present in the CERT datasets: interestingly, several detectors are complementary and could be combined to improve detection. Overall, our results show that graph features are informative to characterize malicious insider activities, and that detection at fine-grained level is possible.

Related papers

• When and How Does In-Distribution Label Help Out-of-Distribution Detection? [38.874518492468965]
  This paper offers a formal understanding to theoretically delineate the impact of ID labels on OOD detection. We employ a graph-theoretic approach, rigorously analyzing the separability of ID data from OOD data in a closed-form manner. We present empirical results on both simulated and real datasets, validating theoretical guarantees and reinforcing our insights.
  arXiv  Detail & Related papers  (2024-05-28T22:34:53Z)
• SeGA: Preference-Aware Self-Contrastive Learning with Prompts for Anomalous User Detection on Twitter [14.483830120541894]
  We propose SeGA, preference-aware self-contrastive learning for anomalous user detection. SeGA uses large language models to summarize user preferences via posts. We empirically validate the effectiveness of the model design and pre-training strategies.
  arXiv  Detail & Related papers  (2023-12-17T05:35:28Z)
• Effective In-vehicle Intrusion Detection via Multi-view Statistical Graph Learning on CAN Messages [9.04771951523525]
  In-vehicle network (IVN) is facing a wide variety of complex and changing external cyber-attacks. Only coarse-grained recognition can be achieved in current mainstream intrusion detection mechanisms. We propose StatGraph: an Effective Multi-view Statistical Graph Learning Intrusion Detection.
  arXiv  Detail & Related papers  (2023-11-13T03:49:55Z)
• A Critical Review of Common Log Data Sets Used for Evaluation of Sequence-based Anomaly Detection Techniques [2.5339493426758906]
  We analyze six publicly available log data sets with focus on the manifestations of anomalies and simple techniques for their detection. Our findings suggest that most anomalies are not directly related to sequential manifestations and that advanced detection techniques are not required to achieve high detection rates on these data sets.
  arXiv  Detail & Related papers  (2023-09-06T09:31:17Z)
• BOURNE: Bootstrapped Self-supervised Learning Framework for Unified Graph Anomaly Detection [50.26074811655596]
  We propose a novel unified graph anomaly detection framework based on bootstrapped self-supervised learning (named BOURNE) By swapping the context embeddings between nodes and edges, we enable the mutual detection of node and edge anomalies. BOURNE can eliminate the need for negative sampling, thereby enhancing its efficiency in handling large graphs.
  arXiv  Detail & Related papers  (2023-07-28T00:44:57Z)
• Semi-Supervised and Long-Tailed Object Detection with CascadeMatch [91.86787064083012]
  We propose a novel pseudo-labeling-based detector called CascadeMatch. Our detector features a cascade network architecture, which has multi-stage detection heads with progressive confidence thresholds. We show that CascadeMatch surpasses existing state-of-the-art semi-supervised approaches in handling long-tailed object detection.
  arXiv  Detail & Related papers  (2023-05-24T07:09:25Z)
• PULL: Reactive Log Anomaly Detection Based On Iterative PU Learning [58.85063149619348]
  We propose PULL, an iterative log analysis method for reactive anomaly detection based on estimated failure time windows. Our evaluation shows that PULL consistently outperforms ten benchmark baselines across three different datasets.
  arXiv  Detail & Related papers  (2023-01-25T16:34:43Z)
• Label-Efficient Interactive Time-Series Anomaly Detection [17.799924009674694]
  We propose a Label-Efficient Interactive Time-Series Anomaly Detection (LEIAD) system. To achieve this goal, the system integrates weak supervision and active learning collaboratively. We conduct experiments on three time-series anomaly detection datasets, demonstrating that the proposed system is superior to existing solutions.
  arXiv  Detail & Related papers  (2022-12-30T10:16:15Z)
• Be Your Own Neighborhood: Detecting Adversarial Example by the Neighborhood Relations Built on Self-Supervised Learning [64.78972193105443]
  This paper presents a novel AE detection framework, named trustworthy for predictions. performs the detection by distinguishing the AE's abnormal relation with its augmented versions. An off-the-shelf Self-Supervised Learning (SSL) model is used to extract the representation and predict the label.
  arXiv  Detail & Related papers  (2022-08-31T08:18:44Z)
• Attentive Prototypes for Source-free Unsupervised Domain Adaptive 3D Object Detection [85.11649974840758]
  3D object detection networks tend to be biased towards the data they are trained on. We propose a single-frame approach for source-free, unsupervised domain adaptation of lidar-based 3D object detectors.
  arXiv  Detail & Related papers  (2021-11-30T18:42:42Z)
• WSSOD: A New Pipeline for Weakly- and Semi-Supervised Object Detection [75.80075054706079]
  We propose a weakly- and semi-supervised object detection framework (WSSOD) An agent detector is first trained on a joint dataset and then used to predict pseudo bounding boxes on weakly-annotated images. The proposed framework demonstrates remarkable performance on PASCAL-VOC and MSCOCO benchmark, achieving a high performance comparable to those obtained in fully-supervised settings.
  arXiv  Detail & Related papers  (2021-05-21T11:58:50Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.