Peer-group Behaviour Analytics of Windows Authentications Events Using Hierarchical Bayesian Modelling

TL;DR

This paper introduces a hierarchical Bayesian model for peer-group behavior analysis of Windows authentication events, aiming to improve threat detection accuracy and reduce false positives in cybersecurity.

Contribution

It presents a novel two-stage Bayesian approach for forming peer-groups and modeling authentication patterns, enhancing threat detection in enterprise networks.

Findings

Empirical evidence shows reduced false positives in real-world data.

Data-driven peer-group formation outperforms HR-based grouping.

Model captures seasonality and hierarchical behavior patterns.

Abstract

Cyber-security analysts face an increasingly large number of alerts received on any given day. This is mainly due to the low precision of many existing methods to detect threats, producing a substantial number of false positives. Usually, several signature-based and statistical anomaly detectors are implemented within a computer network to detect threats. Recent efforts in User and Entity Behaviour Analytics modelling shed a light on how to reduce the burden on Security Operations Centre analysts through a better understanding of peer-group behaviour. Statistically, the challenge consists of accurately grouping users with similar behaviour, and then identifying those who deviate from their peers. This work proposes a new approach for peer-group behaviour modelling of Windows authentication events, using principles from hierarchical Bayesian models. This is a two-stage approach where in the first stage, peer-groups are formed based on a data-driven method, given the user's individual authentication pattern. In the second stage, the counts of users authenticating to different entities are aggregated by an hour and modelled by a Poisson distribution, taking into account seasonality components and hierarchical principles. Finally, we compare grouping users based on their human resources records against the data-driven methods and provide empirical evidence about alert reduction on a real-world authentication data set from a large enterprise network.