Time-Window Group-Correlation Support vs. Individual Features: A Detection of Abnormal Users
This work provides a more accurate method for cybersecurity analysts to detect low-signal, long-lasting threats and reduce false positives in large-scale enterprise log anomaly detection.
This paper addresses the limitations of existing autoencoder-based anomaly detection methods for identifying abnormal users in enterprise logs, which often fail to capture long-term and group-correlation signals. The proposed ACOBE method, which considers long-term patterns and group behaviors, significantly outperforms prior work in precision and recall.
Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will wrongly report many normal users as anomalies on busy days, which, in turn, lead to high false positive rate. In this paper, we propose ACOBE, an Anomaly detection method based on COmpound BEhavior, which takes into consideration long-term patterns and group behaviors. ACOBE leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list. Our evaluation shows that ACOBE outperforms prior work by a large margin in terms of precision and recall, and our case study demonstrates that ACOBE is applicable in practice for cyberattack detection.