{"title":"企业审计会话中无监督入侵检测的用户识别与聚类","authors":"Mathieu Garchery, M. Granitzer","doi":"10.1109/ICCC.2019.00016","DOIUrl":null,"url":null,"abstract":"We address intrusion detection in audit sessions, focusing on masquerades and insider threats. Unsupervised intrusion detection can straightforwardly be addressed through supervised user identification. This allows us to simply model the normal behavior of users implicitly within any supervised classifier. However certain users can have very similar behavior as shown by their audit sessions, thus learning to distinguish them is meaningless and leads to false positives. To address this issue we propose a second method, which identifies user clusters instead of individual users. By discarding harmless alarms for users with similar sessions, a better trade-off between false positives and detection rate can be achieved. We evaluate both methods on real-world and synthetic corporate audit sessions: our methods outperform anomaly detection baselines for masquerade detection. Our results suggest that user identification is effective for masquerades, while insider threats should be detected differently.","PeriodicalId":262923,"journal":{"name":"2019 IEEE International Conference on Cognitive Computing (ICCC)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Identifying and Clustering Users for Unsupervised Intrusion Detection in Corporate Audit Sessions\",\"authors\":\"Mathieu Garchery, M. Granitzer\",\"doi\":\"10.1109/ICCC.2019.00016\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"We address intrusion detection in audit sessions, focusing on masquerades and insider threats. Unsupervised intrusion detection can straightforwardly be addressed through supervised user identification. This allows us to simply model the normal behavior of users implicitly within any supervised classifier. However certain users can have very similar behavior as shown by their audit sessions, thus learning to distinguish them is meaningless and leads to false positives. To address this issue we propose a second method, which identifies user clusters instead of individual users. By discarding harmless alarms for users with similar sessions, a better trade-off between false positives and detection rate can be achieved. We evaluate both methods on real-world and synthetic corporate audit sessions: our methods outperform anomaly detection baselines for masquerade detection. Our results suggest that user identification is effective for masquerades, while insider threats should be detected differently.\",\"PeriodicalId\":262923,\"journal\":{\"name\":\"2019 IEEE International Conference on Cognitive Computing (ICCC)\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-07-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2019 IEEE International Conference on Cognitive Computing (ICCC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICCC.2019.00016\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE International Conference on Cognitive Computing (ICCC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCC.2019.00016","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Identifying and Clustering Users for Unsupervised Intrusion Detection in Corporate Audit Sessions
We address intrusion detection in audit sessions, focusing on masquerades and insider threats. Unsupervised intrusion detection can straightforwardly be addressed through supervised user identification. This allows us to simply model the normal behavior of users implicitly within any supervised classifier. However certain users can have very similar behavior as shown by their audit sessions, thus learning to distinguish them is meaningless and leads to false positives. To address this issue we propose a second method, which identifies user clusters instead of individual users. By discarding harmless alarms for users with similar sessions, a better trade-off between false positives and detection rate can be achieved. We evaluate both methods on real-world and synthetic corporate audit sessions: our methods outperform anomaly detection baselines for masquerade detection. Our results suggest that user identification is effective for masquerades, while insider threats should be detected differently.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
