Multi-Dimensional Anomalous Entity Detection via Poisson Tensor Factorization

Abstract

As the attack surfaces of large enterprise networks grow, anomaly detection systems based on statistical user behavior analysis play a crucial role in identifying malicious activities. Previous work has shown that link prediction algorithms based on non-negative matrix factorization learn highly accurate predictive models of user actions. However, most statistical link prediction models have been constructed on bipartite graphs, and fail to capture the nuanced, multi-faceted details of a user’s activity profile. This paper establishes a new benchmark for red team event detection on the Los Alamos National Laboratory Unified Host and Network Dataset by applying a tensor factorization model that exploits the multi-dimensional and sparse structure of user authentication logs. We show that learning patterns of normal activity across multiple dimensions in one unified statistical framework yields improved detection of penetration testing events. We further show operational value by developing fusion methods that can identify anomalous users, source devices, and destination devices in the network.

@INPROCEEDINGS{9280524,
  author={M. E. {Eren} and J. S. {Moore} and B. S. {Alexandrov}},
  booktitle={2020 IEEE International Conference on Intelligence and Security Informatics (ISI)}, 
  title={Multi-Dimensional Anomalous Entity Detection via Poisson Tensor Factorization}, 
  year={2020},
  volume={},
  number={},
  pages={1-6},
  doi={10.1109/ISI49825.2020.9280524}}

Maksim E. Eren

Scientist

My research interests lie at the intersection of the machine learning and cybersecurity disciplines, with a concentration in tensor decomposition.