Recurrent Neural Network Language Models for Open Vocabulary Event-Level Cyber Anomaly Detection

TL;DR

This paper presents an unsupervised neural network language modeling approach for detecting cyber anomalies in network logs, outperforming traditional methods and effectively handling open vocabulary data.

Contribution

It introduces a novel recurrent neural network architecture for anomaly detection that reduces domain-dependent feature engineering and models user behavior over time.

Findings

Bidirectional RNN models achieve high detection accuracy.

The tiered architecture captures user action sequences effectively.

Outperforms Isolation Forest and PCA on LANL dataset.

Abstract

Automated analysis methods are crucial aids for monitoring and defending a network to protect the sensitive or confidential data it hosts. This work introduces a flexible, powerful, and unsupervised approach to detecting anomalous behavior in computer and network logs, one that largely eliminates domain-dependent feature engineering employed by existing methods. By treating system logs as threads of interleaved "sentences" (event log lines) to train online unsupervised neural network language models, our approach provides an adaptive model of normal network behavior. We compare the effectiveness of both standard and bidirectional recurrent neural network language models at detecting malicious activity within network log data. Extending these models, we introduce a tiered recurrent architecture, which provides context by modeling sequences of users' actions over time. Compared to Isolation Forest and Principal Components Analysis, two popular anomaly detection algorithms, we observe superior performance on the Los Alamos National Laboratory Cyber Security dataset. For log-line-level red team detection, our best performing character-based model provides test set area under the receiver operator characteristic curve of 0.98, demonstrating the strong fine-grained anomaly detection performance of this approach on open vocabulary logging sources.