SIERRA: Ranking Anomalous Activities in Enterprise Networks

TL;DR

SIERRA is an unsupervised system that ranks and explains network anomalies from enterprise security logs, helping analysts prioritize investigations efficiently without relying on labeled data.

Contribution

SIERRA introduces a novel unsupervised ranking method with contextual explanations for network anomalies, outperforming existing detection approaches.

Findings

SIERRA effectively detects top anomalies in enterprise networks.

It outperforms naive anomaly detection algorithms.

SIERRA provides visual explanations for anomalies.

Abstract

An enterprise today deploys multiple security middleboxes such as firewalls, IDS, IPS, etc. in its network to collect different kinds of events related to threats and attacks. These events are streamed into a SIEM (Security Information and Event Management) system for analysts to investigate and respond quickly with appropriate actions. However, the number of events collected for a single enterprise can easily run into hundreds of thousands per day, much more than what analysts can investigate under a given budget constraint (time). In this work, we look into the problem of prioritizing suspicious events or anomalies to analysts for further investigation. We develop SIERRA, a system that processes event logs from multiple and diverse middleboxes to detect and rank anomalous activities. SIERRA takes an unsupervised approach and therefore has no dependence on ground truth data. Different from other works, SIERRA defines contexts, that help it to provide visual explanations of highly-ranked anomalous points to analysts, despite employing unsupervised models. We evaluate SIERRA using months of logs from multiple security middleboxes of an enterprise network. The evaluations demonstrate the capability of SIERRA to detect top anomalies in a network while outperforming naive application of existing anomaly detection algorithms as well as a state-of-the-art SIEM-based anomaly detection solution.