System misuse detection via informed behavior clustering and modeling

Linara Adilova, Livin Natious, Siming Chen, Olivier Thonnard, Michael Kamp

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

Abstract

One of the main tasks of cybersecurity is recognizing malicious interactions with an arbitrary system. Currently, the logging information from each interaction can be collected in almost unrestricted amounts, but identification of attacks requires a lot of effort and time of security experts.We propose an approach for identifying fraud activity through modeling normal behavior in interactions with a system via machine learning methods, in particular LSTM neural networks. In order to enrich the modeling with system specific knowledge, we propose to use an interactive visual interface that allows security experts to identify semantically meaningful clusters of interactions. These clusters incorporate domain knowledge and lead to more precise behavior modeling via informed machine learning. We evaluate the proposed approach on a dataset containing logs of interactions with an administrative interface of login and security server. Our empirical results indicate that the informed modeling is capable of capturing normal behavior, which can then be used to detect abnormal behavior.

Original languageEnglish
Title of host publicationProceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Workshop Volume
EditorsMatthieu Roy, Yennun Huang
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages15-23
Number of pages9
ISBN (Electronic)9781728130309
DOIs
Publication statusPublished - 2019
Externally publishedYes
EventWorkshop on Data-Centric Dependability and Security 2019 - Portland, United States of America
Duration: 24 Jun 201924 Jun 2019
Conference number: 1st
http://dcds.lasige.di.fc.ul.pt/

Conference

ConferenceWorkshop on Data-Centric Dependability and Security 2019
Abbreviated titleDCDS 2019
CountryUnited States of America
CityPortland
Period24/06/1924/06/19
Internet address

Keywords

  • Clustering
  • Cybersecurity
  • Informed ML
  • Knowledge injection
  • Language models
  • Vizualization tools

Cite this

Adilova, L., Natious, L., Chen, S., Thonnard, O., & Kamp, M. (2019). System misuse detection via informed behavior clustering and modeling. In M. Roy, & Y. Huang (Eds.), Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Workshop Volume (pp. 15-23). [8806013] Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/DSN-W.2019.00011
Adilova, Linara ; Natious, Livin ; Chen, Siming ; Thonnard, Olivier ; Kamp, Michael. / System misuse detection via informed behavior clustering and modeling. Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Workshop Volume. editor / Matthieu Roy ; Yennun Huang. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2019. pp. 15-23
@inproceedings{151e02a6a2f74550b3cb18b067bc83c1,
title = "System misuse detection via informed behavior clustering and modeling",
abstract = "One of the main tasks of cybersecurity is recognizing malicious interactions with an arbitrary system. Currently, the logging information from each interaction can be collected in almost unrestricted amounts, but identification of attacks requires a lot of effort and time of security experts.We propose an approach for identifying fraud activity through modeling normal behavior in interactions with a system via machine learning methods, in particular LSTM neural networks. In order to enrich the modeling with system specific knowledge, we propose to use an interactive visual interface that allows security experts to identify semantically meaningful clusters of interactions. These clusters incorporate domain knowledge and lead to more precise behavior modeling via informed machine learning. We evaluate the proposed approach on a dataset containing logs of interactions with an administrative interface of login and security server. Our empirical results indicate that the informed modeling is capable of capturing normal behavior, which can then be used to detect abnormal behavior.",
keywords = "Clustering, Cybersecurity, Informed ML, Knowledge injection, Language models, Vizualization tools",
author = "Linara Adilova and Livin Natious and Siming Chen and Olivier Thonnard and Michael Kamp",
year = "2019",
doi = "10.1109/DSN-W.2019.00011",
language = "English",
pages = "15--23",
editor = "Roy, {Matthieu } and Huang, {Yennun }",
booktitle = "Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Workshop Volume",
publisher = "IEEE, Institute of Electrical and Electronics Engineers",
address = "United States of America",

}

Adilova, L, Natious, L, Chen, S, Thonnard, O & Kamp, M 2019, System misuse detection via informed behavior clustering and modeling. in M Roy & Y Huang (eds), Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Workshop Volume., 8806013, IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 15-23, Workshop on Data-Centric Dependability and Security 2019, Portland, United States of America, 24/06/19. https://doi.org/10.1109/DSN-W.2019.00011

System misuse detection via informed behavior clustering and modeling. / Adilova, Linara; Natious, Livin; Chen, Siming; Thonnard, Olivier; Kamp, Michael.

Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Workshop Volume. ed. / Matthieu Roy; Yennun Huang. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2019. p. 15-23 8806013.

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

TY - GEN

T1 - System misuse detection via informed behavior clustering and modeling

AU - Adilova, Linara

AU - Natious, Livin

AU - Chen, Siming

AU - Thonnard, Olivier

AU - Kamp, Michael

PY - 2019

Y1 - 2019

N2 - One of the main tasks of cybersecurity is recognizing malicious interactions with an arbitrary system. Currently, the logging information from each interaction can be collected in almost unrestricted amounts, but identification of attacks requires a lot of effort and time of security experts.We propose an approach for identifying fraud activity through modeling normal behavior in interactions with a system via machine learning methods, in particular LSTM neural networks. In order to enrich the modeling with system specific knowledge, we propose to use an interactive visual interface that allows security experts to identify semantically meaningful clusters of interactions. These clusters incorporate domain knowledge and lead to more precise behavior modeling via informed machine learning. We evaluate the proposed approach on a dataset containing logs of interactions with an administrative interface of login and security server. Our empirical results indicate that the informed modeling is capable of capturing normal behavior, which can then be used to detect abnormal behavior.

AB - One of the main tasks of cybersecurity is recognizing malicious interactions with an arbitrary system. Currently, the logging information from each interaction can be collected in almost unrestricted amounts, but identification of attacks requires a lot of effort and time of security experts.We propose an approach for identifying fraud activity through modeling normal behavior in interactions with a system via machine learning methods, in particular LSTM neural networks. In order to enrich the modeling with system specific knowledge, we propose to use an interactive visual interface that allows security experts to identify semantically meaningful clusters of interactions. These clusters incorporate domain knowledge and lead to more precise behavior modeling via informed machine learning. We evaluate the proposed approach on a dataset containing logs of interactions with an administrative interface of login and security server. Our empirical results indicate that the informed modeling is capable of capturing normal behavior, which can then be used to detect abnormal behavior.

KW - Clustering

KW - Cybersecurity

KW - Informed ML

KW - Knowledge injection

KW - Language models

KW - Vizualization tools

UR - http://www.scopus.com/inward/record.url?scp=85072027008&partnerID=8YFLogxK

U2 - 10.1109/DSN-W.2019.00011

DO - 10.1109/DSN-W.2019.00011

M3 - Conference Paper

SP - 15

EP - 23

BT - Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Workshop Volume

A2 - Roy, Matthieu

A2 - Huang, Yennun

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

ER -

Adilova L, Natious L, Chen S, Thonnard O, Kamp M. System misuse detection via informed behavior clustering and modeling. In Roy M, Huang Y, editors, Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Workshop Volume. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. 2019. p. 15-23. 8806013 https://doi.org/10.1109/DSN-W.2019.00011