{"title":"企业多源日志中的异常用户活动检测","authors":"Qiaona Hu, Baoming Tang, Derek Lin","doi":"10.1109/ICDMW.2017.110","DOIUrl":null,"url":null,"abstract":"Security is one of the top concerns of any enterprise. Most security practitioners in enterprises rely on correlation rules to detect potential threats. While the rules are intuitive to design, each rule is independently defined per log source, unable to collectively address heterogeneity of data from a myriad of enterprise networking and security logs. Furthermore, correlation rules do not look for data events beyond a short time range. To complement the conventional correlation rules-based system, we propose a user activity anomaly detection method. The method first addresses data heterogeneity of multi-source logs by designing a meta data extraction step for event normalization. It then builds user-specific models to flag alerts for users whose currently observed event patterns are sufficiently different from their own patterns in the past.","PeriodicalId":389183,"journal":{"name":"2017 IEEE International Conference on Data Mining Workshops (ICDMW)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":"{\"title\":\"Anomalous User Activity Detection in Enterprise Multi-source Logs\",\"authors\":\"Qiaona Hu, Baoming Tang, Derek Lin\",\"doi\":\"10.1109/ICDMW.2017.110\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Security is one of the top concerns of any enterprise. Most security practitioners in enterprises rely on correlation rules to detect potential threats. While the rules are intuitive to design, each rule is independently defined per log source, unable to collectively address heterogeneity of data from a myriad of enterprise networking and security logs. Furthermore, correlation rules do not look for data events beyond a short time range. To complement the conventional correlation rules-based system, we propose a user activity anomaly detection method. The method first addresses data heterogeneity of multi-source logs by designing a meta data extraction step for event normalization. It then builds user-specific models to flag alerts for users whose currently observed event patterns are sufficiently different from their own patterns in the past.\",\"PeriodicalId\":389183,\"journal\":{\"name\":\"2017 IEEE International Conference on Data Mining Workshops (ICDMW)\",\"volume\":\"14 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-11-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"14\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 IEEE International Conference on Data Mining Workshops (ICDMW)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICDMW.2017.110\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE International Conference on Data Mining Workshops (ICDMW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICDMW.2017.110","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Anomalous User Activity Detection in Enterprise Multi-source Logs
Security is one of the top concerns of any enterprise. Most security practitioners in enterprises rely on correlation rules to detect potential threats. While the rules are intuitive to design, each rule is independently defined per log source, unable to collectively address heterogeneity of data from a myriad of enterprise networking and security logs. Furthermore, correlation rules do not look for data events beyond a short time range. To complement the conventional correlation rules-based system, we propose a user activity anomaly detection method. The method first addresses data heterogeneity of multi-source logs by designing a meta data extraction step for event normalization. It then builds user-specific models to flag alerts for users whose currently observed event patterns are sufficiently different from their own patterns in the past.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
