Time-Window Group-Correlation Support vs. Individual Features: A Detection of Abnormal Users

TL;DR

ACOBE is a novel autoencoder-based anomaly detection method that captures long-term and group behavioral signals to improve detection accuracy of malicious users in enterprise logs.

Contribution

The paper introduces ACOBE, a new approach that incorporates long-term and group behaviors into autoencoder models for more accurate anomaly detection.

Findings

ACOBE significantly outperforms previous methods in precision and recall.

It effectively detects low-signal, long-lasting threats.

The case study confirms practical applicability in cyberattack detection.

Abstract

Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will wrongly report many normal users as anomalies on busy days, which, in turn, lead to high false positive rate. In this paper, we propose ACOBE, an Anomaly detection method based on COmpound BEhavior, which takes into consideration long-term patterns and group behaviors. ACOBE leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list. Our evaluation shows that ACOBE outperforms prior work by a large margin in terms of precision and recall, and our case study demonstrates that ACOBE is applicable in practice for cyberattack detection.