Go to CCS 2020 homepagePOSTER: Detecting Suspicious Processes from Log-Data via a Bayesian Block Model
Abstract: Analyzing the behavior of an attacker is critical for determining the scope of damage of a cyber attack, recovering, and fixing system vulnerabilities. However, finding all attacker's traces from log data is a laborsome task, where the performance of existing machine learning methods is still insufficient. In this work, we focus on the task of detecting all processes that were executed by the attacker. For this task, standard anomaly detection methods like Isolation Forest, perform poorly, due to many processes that are used by both the attacker and the client user. Therefore, we propose to incorporate prior knowledge about the temporal concentration of the attacker's activity. In general, we expect that an attacker is active only during a relatively small time window (block assumption), rather than being active at completely random time points. We propose a generative model that allows us to incorporate such prior knowledge effectively. Experiments on intrusion log data, shows that the proposed method achieves considerably better detection performance than a strong baseline method which also incorporates the block assumption.
0 Replies
Loading