Go to DBLP homepageColBetect: A Contrastive Learning Framework Featuring Dual Negative Samples for Anomaly Behavior Detection
Abstract: Anomaly behavior detection based on logs using graph structure has been widely applied. However, in real-world scenarios, many small-scale organizations only have access to lightweight logs or even logs from a single device. The insufficient behavioral data makes it difficult to create an all-encompassing graph, resulting in decreased detection performance. To address the issue of insufficient behavioral data, ColBetect is proposed as a novel anomaly behavior detection framework that integrates contrastive learning. By utilizing an aggregated log graph, ColBetect constructs dual negative samples from both graph structure and attributes perspectives, and then extracts different embeddings by maximizing or minimizing the mutual information, ultimately achieving anomaly detection. ColBetect further establishes a formal definition and construction method for the aggregated log graph, reducing the scale of commonly used graphs and enhancing compatibility with various behavioral data formats. Experimental results validate that ColBetect surpasses state-of-the-art methods and significantly reduces the graph scale through node aggregation. Ablation experiments further confirm the effectiveness of the negative samples. ColBetect can effectively detect anomalies, even when considering logs generated by a single device, enabling accurate anomaly behavior detection in scenarios where traditional structures like provenance graphs are challenging to construct.
Loading