DMNAED: A Novel Framework Based on Dynamic Memory Network for Abnormal Event Detection in Enterprise Networks
Abnormal event detection is a crucial step towards discovering insider threat in enterprise networks. However, most existing anomaly detection approaches fail to capture latent correlations between disparate events in different domains due to the lack of a panoramic view or the disability of iterative attention. In light of this, this paper presents DMNAED, a novel framework based on dynamic memory network for abnormal event detection in enterprise networks. Inspired by question answering systems in natural language processing, DMNAED considers the event to be inspected as a question, and a sequence of multi-domain historical events serve as a context. Through an iterative attention process, DMNAED captures the context-question interrelation and aggregates relevant historical events to make more accurate anomaly detection. The experimental results on the CERT insider threat dataset r4.2 demonstrate that DMNAED exhibits more stable and superior performance compared with three baseline methods in identifying aberrant events in multi-user and multi-domain environments.
KeywordsAbnormal event detection Dynamic memory network Iterative attention Relevant historical events
This research was supported by National Research and Development Program of China (No. 2017YFB1010000).
- 1.Beschastnikh, I., Brun, Y., Ernst, M.D., Krishnamurthy, A.: Inferring models of concurrent systems from logs of their behavior with CSight. In: 36th ICSE, pp. 468–479 (2014)Google Scholar
- 2.Buda, T.S., Caglayan, B., Assem, H.: DeepAD: a generic framework based on deep learning for time series anomaly detection. In: Phung, D., Tseng, V.S., Webb, G.I., Ho, B., Ganji, M., Rashidi, L. (eds.) PAKDD 2018. LNCS (LNAI), vol. 10937, pp. 577–588. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93034-3_46CrossRefGoogle Scholar
- 5.Du, M., Li, F., Zheng, G., Srikumar, V.: Deeplog: anomaly detection and diagnosis from system logs through deep learning. In: Proceedings of the 2017 ACM SIGSAC, CCS, pp. 1285–1298 (2017)Google Scholar
- 6.Gamachchi, A., Sun, L., Boztas, S.: Graph based framework for malicious insider threat detection. In: HICSS (2017)Google Scholar
- 7.Hossain, M.N., et al.: SLEUTH: real-time attack scenario reconstruction from COTS audit data. CoRR abs/1801.02062 (2018)Google Scholar
- 9.Kumar, A., et al.: Ask me anything: dynamic memory networks for natural language processing. In: ICML, pp. 1378–1387 (2016)Google Scholar
- 11.Meng, F., Lou, F., Fu, Y., Tian, Z.: Deep learning based attribute classification insider threat detection for data security. In: DSC, pp. 576–581 (2018)Google Scholar
- 12.Nam, T.M., et al.: Self-organizing map-based approaches in DDoS flooding detection using SDN. In: ICOIN, pp. 249–254 (2018)Google Scholar
- 13.Nance, K., Marty, R.: Identifying and visualizing the malicious insider threat using bipartite graphs. In: HICSS, pp. 1–9 (2011)Google Scholar
- 14.Pei, K., et al.: HERCULE: attack story reconstruction via community discovery on correlated log graph. In: ACSAC, pp. 583–595 (2016)Google Scholar
- 15.Wang, Q., Xu, J., Chen, H., He, B.: Two improved continuous bag-of-word models. In: IJCNN (2017)Google Scholar
- 16.Yen, T.F., et al.: Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks. In: Proceedings of the 29th ACSAC, pp. 199–208 (2013)Google Scholar