Identifying Suspicious User Behavior with Neural Networks

The number of attacks that use sophisticated and complex methods increased lately. The main objective of these attacks is to largely infiltrate the target network and to stay undetected. Therefore, the attackers often use valid credentials and standard administrative tools to hide between legitimate user actions and to hinder detection. Most existing security systems, which use standard signature-based or anomaly-based approaches, are not able to identify this type of malicious activities. Furthermore, it is also most often not feasible to analyze user behavior manually, due to the complexity of this task and the high amount of different user actions. Thus, it is necessary to develop new automated approaches to identify suspicious user behavior. In this paper, we propose to use neural networks to analyze user behavior and to identify suspicious actions. Due to the fact that neural networks require suitable datasets to learn the difference between suspicious and benign actions, we describe a behavioral simulation system to generate reasonable datasets. These datasets use different behavioral features to describe log-on and log-off activities of users. To identify suitable neural network models for user behavior analysis, we evaluate and compare 16,275 different feed-forward neural networks with three different datasets and 75 recurrent neural networks with one dataset. The results show that the used dataset and the complexity of a model are crucial to achieve a high accuracy. Appropriate models, which also consider context behavior information, are able to automatically classify before unseen user actions with an accuracy of up to 98 %.