System Misuse Detection via Informed Behavior Clustering and Modeling
This addresses cybersecurity challenges by reducing expert effort in attack identification, though it is incremental as it builds on existing machine learning methods with domain-specific enhancements.
The paper tackles the problem of detecting malicious system interactions by modeling normal behavior using LSTM neural networks, enhanced with expert-identified clusters via a visual interface, and reports empirical results showing the approach can capture normal behavior for anomaly detection.
One of the main tasks of cybersecurity is recognizing malicious interactions with an arbitrary system. Currently, the logging information from each interaction can be collected in almost unrestricted amounts, but identification of attacks requires a lot of effort and time of security experts. We propose an approach for identifying fraud activity through modeling normal behavior in interactions with a system via machine learning methods, in particular LSTM neural networks. In order to enrich the modeling with system specific knowledge, we propose to use an interactive visual interface that allows security experts to identify semantically meaningful clusters of interactions. These clusters incorporate domain knowledge and lead to more precise behavior modeling via informed machine learning. We evaluate the proposed approach on a dataset containing logs of interactions with an administrative interface of login and security server. Our empirical results indicate that the informed modeling is capable of capturing normal behavior, which can then be used to detect abnormal behavior.