Protection of an information system by artificial intelligence: a three-phase approach based on behaviour analysis to detect a hostile scenario
This work addresses incremental improvements in intrusion detection for cybersecurity systems, focusing on enhancing behavior analysis to detect hostile scenarios more effectively.
The paper tackles the problem of bias and lack of explainability in existing UEBA-based intrusion detection systems by proposing a three-phase unsupervised approach that adds a correlation phase to reduce false positives and negatives, with initial results showing promise on synthetic and real data.
The analysis of the behaviour of individuals and entities (UEBA) is an area of artificial intelligence that detects hostile actions (e.g. attacks, fraud, influence, poisoning) due to the unusual nature of observed events, by affixing to a signature-based operation. A UEBA process usually involves two phases, learning and inference. Intrusion detection systems (IDS) available still suffer from bias, including over-simplification of problems, underexploitation of the AI potential, insufficient consideration of the temporality of events, and perfectible management of the memory cycle of behaviours. In addition, while an alert generated by a signature-based IDS can refer to the signature on which the detection is based, the IDS in the UEBA domain produce results, often associated with a score, whose explainable character is less obvious. Our unsupervised approach is to enrich this process by adding a third phase to correlate events (incongruities, weak signals) that are presumed to be linked together, with the benefit of a reduction of false positives and negatives. We also seek to avoid a so-called "boiled frog" bias inherent in continuous learning. Our first results are interesting and have an explainable character, both on synthetic and real data.