Detecting Anomalous User Behavior Using an Extended Isolation Forest Algorithm: An Enterprise Case Study
This work addresses anomalous behavior detection for enterprise information security, but it is incremental as it builds on an existing algorithm with a case study.
The paper tackled the problem of detecting anomalous user behavior in enterprise security systems by applying an extended Isolation Forest algorithm, achieving the ability to isolate anomalies from a baseline model using single or combined features without requiring example anomalies in training.
Anomalous user behavior detection is the core component of many information security systems, such as intrusion detection, insider threat detection and authentication systems. Anomalous behavior will raise an alarm to the system administrator and can be further combined with other information to determine whether it constitutes an unauthorised or malicious use of a resource. This paper presents an anomalous user behaviour detection framework that applies an extended version of Isolation Forest algorithm. Our method is fast and scalable and does not require example anomalies in the training data set. We apply our method to an enterprise dataset. The experimental results show that the system is able to isolate anomalous instances from the baseline user model using a single feature or combined features.