Anomaly Detection in Log Data using Graph Databases and Machine Learning to Defend Advanced Persistent Threats

TL;DR

This paper presents a novel approach combining graph databases and machine learning to detect cyber breaches in log data, significantly reducing detection time and improving attack profiling in real-world scenarios.

Contribution

It introduces a flexible framework that integrates kill chain mechanisms with graph analysis and time series data to detect APTs efficiently.

Findings

Successful detection of simulated attacks using graph analysis

Framework performs well on real-world log data

Enables rapid identification of attacker and affected systems

Abstract

Advanced Persistent Threats (APTs) are a main impendence in cyber security of computer networks. In 2015, a successful breach remains undetected 146 days on average, reported by [Fi16].With our work we demonstrate a feasible and fast way to analyse real world log data to detect breaches or breach attempts. By adapting well-known kill chain mechanisms and a combine of a time series database and an abstracted graph approach, it is possible to create flexible attack profiles. Using this approach, it can be demonstrated that the graph analysis successfully detects simulated attacks by analysing the log data of a simulated computer network. Considering another source for log data, the framework is capable to deliver sufficient performance for analysing real-world data in short time. By using the computing power of the graph database it is possible to identify the attacker and furthermore it is feasible to detect other affected system components. We believe to significantly reduce the detection time of breaches with this approach and react fast to new attack vectors.