We propose an automatic graph learning framework that models rich event dependencies from audit data, facilitating the detection of complex multi-event insider threats. Our method first relies on treating audit log entries as nodes in graphs with no edges initially. Each node is represented by an initial representation capturing daily user behaviours. This is achieved through a deep-sequential neural network architecture that results from a prior contribution. Then, we suggest a custom edge predictor that identifies long-term dependencies. The resulting graph is then used to identify abnormal nodes indicating malicious events. The proposed method does not require any label information from the audit data, classifying it as an unsupervised learning approach. Additionally, it does not require extensive audit log preprocessing, such as manual extraction of domain-knowledge-rich features or data balancing. Therefore, the suggested method is easy to implement and can be used across organizations regardless of their level of expertise. By providing a node-based scoring system, the resulting graph also functions as a diagnostic tool to help security experts understand detected threats. On the CERT benchmark dataset version 6.2, our approach outperforms previous state-of-the-art approaches, achieving an area under the ROC curve of 97.17%.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Unsupervised Graph Learning For Insider Threat Detection

  • Simon Bertrand,
  • Pascal Germain,
  • Nadia Tawbi

摘要

We propose an automatic graph learning framework that models rich event dependencies from audit data, facilitating the detection of complex multi-event insider threats. Our method first relies on treating audit log entries as nodes in graphs with no edges initially. Each node is represented by an initial representation capturing daily user behaviours. This is achieved through a deep-sequential neural network architecture that results from a prior contribution. Then, we suggest a custom edge predictor that identifies long-term dependencies. The resulting graph is then used to identify abnormal nodes indicating malicious events. The proposed method does not require any label information from the audit data, classifying it as an unsupervised learning approach. Additionally, it does not require extensive audit log preprocessing, such as manual extraction of domain-knowledge-rich features or data balancing. Therefore, the suggested method is easy to implement and can be used across organizations regardless of their level of expertise. By providing a node-based scoring system, the resulting graph also functions as a diagnostic tool to help security experts understand detected threats. On the CERT benchmark dataset version 6.2, our approach outperforms previous state-of-the-art approaches, achieving an area under the ROC curve of 97.17%.