Detecting Anomalous User Behavior Using an Extended Isolation Forest Algorithm: An Enterprise Case Study

TL;DR

This paper introduces an extended Isolation Forest algorithm for detecting anomalous user behavior in enterprise security, demonstrating its speed, scalability, and effectiveness without needing labeled anomalies.

Contribution

The paper presents a novel extended Isolation Forest method tailored for enterprise user behavior anomaly detection, capable of handling multiple features and scalable to large datasets.

Findings

Effective anomaly isolation using single or combined features

Fast and scalable detection without labeled anomalies

Successful application to enterprise dataset

Abstract

Anomalous user behavior detection is the core component of many information security systems, such as intrusion detection, insider threat detection and authentication systems. Anomalous behavior will raise an alarm to the system administrator and can be further combined with other information to determine whether it constitutes an unauthorised or malicious use of a resource. This paper presents an anomalous user behaviour detection framework that applies an extended version of Isolation Forest algorithm. Our method is fast and scalable and does not require example anomalies in the training data set. We apply our method to an enterprise dataset. The experimental results show that the system is able to isolate anomalous instances from the baseline user model using a single feature or combined features.