DMNAED: A Novel Framework Based on Dynamic Memory Network for Abnormal Event Detection in Enterprise Networks

  • Xueshuang Ren
  • Liming WangEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11439)


Abnormal event detection is a crucial step towards discovering insider threat in enterprise networks. However, most existing anomaly detection approaches fail to capture latent correlations between disparate events in different domains due to the lack of a panoramic view or the disability of iterative attention. In light of this, this paper presents DMNAED, a novel framework based on dynamic memory network for abnormal event detection in enterprise networks. Inspired by question answering systems in natural language processing, DMNAED considers the event to be inspected as a question, and a sequence of multi-domain historical events serve as a context. Through an iterative attention process, DMNAED captures the context-question interrelation and aggregates relevant historical events to make more accurate anomaly detection. The experimental results on the CERT insider threat dataset r4.2 demonstrate that DMNAED exhibits more stable and superior performance compared with three baseline methods in identifying aberrant events in multi-user and multi-domain environments.


Abnormal event detection Dynamic memory network Iterative attention Relevant historical events 



This research was supported by National Research and Development Program of China (No. 2017YFB1010000).


  1. 1.
    Beschastnikh, I., Brun, Y., Ernst, M.D., Krishnamurthy, A.: Inferring models of concurrent systems from logs of their behavior with CSight. In: 36th ICSE, pp. 468–479 (2014)Google Scholar
  2. 2.
    Buda, T.S., Caglayan, B., Assem, H.: DeepAD: a generic framework based on deep learning for time series anomaly detection. In: Phung, D., Tseng, V.S., Webb, G.I., Ho, B., Ganji, M., Rashidi, L. (eds.) PAKDD 2018. LNCS (LNAI), vol. 10937, pp. 577–588. Springer, Cham (2018). Scholar
  3. 3.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 15:1–15:58 (2009)CrossRefGoogle Scholar
  4. 4.
    Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)CrossRefGoogle Scholar
  5. 5.
    Du, M., Li, F., Zheng, G., Srikumar, V.: Deeplog: anomaly detection and diagnosis from system logs through deep learning. In: Proceedings of the 2017 ACM SIGSAC, CCS, pp. 1285–1298 (2017)Google Scholar
  6. 6.
    Gamachchi, A., Sun, L., Boztas, S.: Graph based framework for malicious insider threat detection. In: HICSS (2017)Google Scholar
  7. 7.
    Hossain, M.N., et al.: SLEUTH: real-time attack scenario reconstruction from COTS audit data. CoRR abs/1801.02062 (2018)Google Scholar
  8. 8.
    King, S.T., Chen, P.M.: Backtracking intrusions. ACM Trans. Comput. Syst. 23(1), 51–76 (2005)CrossRefGoogle Scholar
  9. 9.
    Kumar, A., et al.: Ask me anything: dynamic memory networks for natural language processing. In: ICML, pp. 1378–1387 (2016)Google Scholar
  10. 10.
    Lee, W., Hsu, W.H., Satoh, S.: Learning from cross-domain media streams for event-of-interest discovery. IEEE Trans. Multimed. 20(1), 142–154 (2018)CrossRefGoogle Scholar
  11. 11.
    Meng, F., Lou, F., Fu, Y., Tian, Z.: Deep learning based attribute classification insider threat detection for data security. In: DSC, pp. 576–581 (2018)Google Scholar
  12. 12.
    Nam, T.M., et al.: Self-organizing map-based approaches in DDoS flooding detection using SDN. In: ICOIN, pp. 249–254 (2018)Google Scholar
  13. 13.
    Nance, K., Marty, R.: Identifying and visualizing the malicious insider threat using bipartite graphs. In: HICSS, pp. 1–9 (2011)Google Scholar
  14. 14.
    Pei, K., et al.: HERCULE: attack story reconstruction via community discovery on correlated log graph. In: ACSAC, pp. 583–595 (2016)Google Scholar
  15. 15.
    Wang, Q., Xu, J., Chen, H., He, B.: Two improved continuous bag-of-word models. In: IJCNN (2017)Google Scholar
  16. 16.
    Yen, T.F., et al.: Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks. In: Proceedings of the 29th ACSAC, pp. 199–208 (2013)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Institute of Information Engineering, Chinese Academy of SciencesBeijingChina
  2. 2.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina

Personalised recommendations