Proceedings Article10.1145/3319535.3363224
Log2vec: A Heterogeneous Graph Embedding Based Approach for Detecting Cyber Threats within Enterprise
Fucheng Liu,Yu Wen,Zhang Dongxue,Xihe Jiang,Xinyu Xing,Dan Meng +5 more
- 06 Nov 2019
- pp 1777-1794
258
TL;DR: This work proposes log2vec, a heterogeneous graph embedding based modularized method that remarkably outperforms state-of-the-art approaches, such as deep learning and hidden markov model (HMM), and shows its capability to detect malicious events in various attack scenarios.
read more
Abstract: Conventional attacks of insider employees and emerging APT are both major threats for the organizational information system. Existing detections mainly concentrate on users' behavior and usually analyze logs recording their operations in an information system. In general, most of these methods consider sequential relationship among log entries and model users' sequential behavior. However, they ignore other relationships, inevitably leading to an unsatisfactory performance on various attack scenarios. We propose log2vec, a heterogeneous graph embedding based modularized method. First, it involves a heuristic approach that converts log entries into a heterogeneous graph in the light of diverse relationships among them. Next, it utilizes an improved graph embedding appropriate to the above heterogeneous graph, which can automatically represent each log entry into a low-dimension vector. The third component of log2vec is a practical detection algorithm capable of separating malicious and benign log entries into different clusters and identifying malicious ones. We implement a prototype of log2vec. Our evaluation demonstrates that log2vec remarkably outperforms state-of-the-art approaches, such as deep learning and hidden markov model (HMM). Besides, log2vec shows its capability to detect malicious events in various attack scenarios.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
•Posted Content
A Survey on Automated Log Analysis for Reliability Engineering.
TL;DR: This survey presents a detailed overview of automated log analysis research, including how to automate and assist the writing of logging statements, how to compress logs,How to parse logs into structured event templates, and how to employ logs to detect anomalies, predict failures, and facilitate diagnosis.
Log-based Anomaly Detection with Deep Learning: How Far Are We?
Van-Hoang Le,Hongyu Zhang +1 more
- 09 Feb 2022
TL;DR: An in-depth analysis of five state-of-the-art deep learning-based models for detecting system anomalies on four public log datasets, focusing on several aspects of model evaluation, including training data selection, data grouping, class distribution, data noise, and early detection ability.
•Posted Content
LogBERT: Log Anomaly Detection via BERT
TL;DR: This paper proposes LogBERT, a self-supervised framework for log anomaly detection based on Bidirectional Encoder Representations from Transformers (BERT), which is able to detect anomalies where the underlying patterns deviate from normal log sequences.
131
A Survey on Automated Log Analysis for Reliability Engineering
TL;DR: A detailed overview of automated log analysis research can be found in this paper, where the authors present several promising future directions toward real-world and next-generation automated logging analysis, including how to assist the writing of logging statements, how to compress logs and how to parse logs into structured event templates.
128
References
Detecting Structurally Anomalous Logins Within Enterprise Networks
Hossein Siadati,Nasir Memon +1 more
- 30 Oct 2017
TL;DR: This work models a network login structure by automatically extracting a collection of login patterns by using a variation of the market-basket algorithm and employs an anomaly detection approach to detect malicious logins that are inconsistent with the enterprise network's login structure.
51
Alarm Reduction and Correlation in Intrusion Detection Systems
Tobias Chyssler,Stefan Burschka,Michael Semling,Tomas Lingvall,K. Burbeck +4 more
- 01 Jul 2004
TL;DR: The role of alarm reduction and correlation in existing networks for building more intelligent safeguards that support and complement the decisions by the operator are studied.
•Proceedings Article
Multi-defender strategic filtering against spear-phishing attacks
Aron Laszka,Jian Lou,Yevgeniy Vorobeychik +2 more
- 12 Feb 2016
TL;DR: It is found that while Stackelberg multi-defender equilibrium need not exist, Nash equilibrium always exists, and remarkably, both equilibria are unique and socially optimal.
35
Long-Span Program Behavior Modeling and Attack Detection
Xiaokui Shu,Danfeng Yao,Naren Ramakrishnan,Trent Jaeger +3 more
- 20 Sep 2017
TL;DR: This article points out the deficiency of existing program anomaly detection models against new attacks and presents long-span behavior anomaly detection (LAD), a model based on mildly context-sensitive grammar verification that detects all reproduced real-world attacks against sshd, libpcre, and sendmail.
30
The Target and Other Financial Data Breaches: Frequently Asked Questions
N. E. Weiss,Rena S. Miller +1 more
- 04 Feb 2015
TL;DR: This report answers some frequently asked questions about the Target and selected other data breaches, including what is known to have happened in the breach, and what costs may result.
28