DAEMON: Dynamic Auto-encoders for Contextualised Anomaly Detection Applied to Security MONitoring

Alexandre Dey; Eric Totel; Benjamin Costé

doi:10.1007/978-3-031-06975-8_4

DAEMON: Dynamic Auto-encoders for Contextualised Anomaly Detection Applied to Security MONitoring

Alexandre Dey
, Eric Totel
, Benjamin Costé

IRISA
Airbus Cyber Security

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

Résumé

The slow adoption rate of machine learning-based methods for novel attack detection by Security Operation Centers (SOC) analysts can be partly explained by their lack of data science expertise and the insufficient explainability of the results provided by these approaches. In this paper, we present an anomaly-based detection method that fuses events coming from heterogeneous sources into sets describing the same phenomenons and relies on a deep auto-encoder model to highlight anomalies and their context. To implicate security analysts and benefit from their expertise, we focus on limiting the need of data science knowledge during the configuration phase. Results on a lab environment, monitored using off-the-shelf tools, show good detection performances on several attack scenarios (F1 score ≈ 0.9 ), and eases the investigation of anomalies by quickly finding similar anomalies through clustering.

langue originale	Anglais
titre	ICT Systems Security and Privacy Protection - 37th IFIP TC 11 International Conference, SEC 2022, Proceedings
rédacteurs en chef	Weizhi Meng, Simone Fischer-Hübner, Christian D. Jensen
Editeur	Springer Science and Business Media Deutschland GmbH
Pages	53-69
Nombre de pages	17
ISBN (imprimé)	9783031069741
Les DOIs	https://doi.org/10.1007/978-3-031-06975-8_4
état	Publié - 1 janv. 2022
Evénement	37th IFIP International Conference on ICT Systems Security and Privacy Protection, SEC 2022 - Copenhagen, Danemark Durée: 13 juin 2022 → 15 juin 2022

Série de publications

Nom	IFIP Advances in Information and Communication Technology
Volume	648 IFIP
ISSN (imprimé)	1868-4238
ISSN (Electronique)	1868-422X

Une conférence

Une conférence	37th IFIP International Conference on ICT Systems Security and Privacy Protection, SEC 2022
Pays/Territoire	Danemark
La ville	Copenhagen
période	13/06/22 → 15/06/22

Accès au document

10.1007/978-3-031-06975-8_4

Autres fichiers et liens

Lien vers la publication dans Scopus

Contient cette citation

Dey, A., Totel, E., & Costé, B. (2022). DAEMON: Dynamic Auto-encoders for Contextualised Anomaly Detection Applied to Security MONitoring. Dans W. Meng, S. Fischer-Hübner, & C. D. Jensen (eds.), ICT Systems Security and Privacy Protection - 37th IFIP TC 11 International Conference, SEC 2022, Proceedings (p. 53-69). (IFIP Advances in Information and Communication Technology; Vol 648 IFIP). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-06975-8_4

Dey, Alexandre ; Totel, Eric ; Costé, Benjamin. / DAEMON : Dynamic Auto-encoders for Contextualised Anomaly Detection Applied to Security MONitoring. ICT Systems Security and Privacy Protection - 37th IFIP TC 11 International Conference, SEC 2022, Proceedings. Editeur / Weizhi Meng ; Simone Fischer-Hübner ; Christian D. Jensen. Springer Science and Business Media Deutschland GmbH, 2022. p. 53-69 (IFIP Advances in Information and Communication Technology).

@inproceedings{7d8605945c8741d285d1c338d8defbd5,

title = "DAEMON: Dynamic Auto-encoders for Contextualised Anomaly Detection Applied to Security MONitoring",

abstract = "The slow adoption rate of machine learning-based methods for novel attack detection by Security Operation Centers (SOC) analysts can be partly explained by their lack of data science expertise and the insufficient explainability of the results provided by these approaches. In this paper, we present an anomaly-based detection method that fuses events coming from heterogeneous sources into sets describing the same phenomenons and relies on a deep auto-encoder model to highlight anomalies and their context. To implicate security analysts and benefit from their expertise, we focus on limiting the need of data science knowledge during the configuration phase. Results on a lab environment, monitored using off-the-shelf tools, show good detection performances on several attack scenarios (F1 score ≈ 0.9 ), and eases the investigation of anomalies by quickly finding similar anomalies through clustering.",

keywords = "Anomaly detection, Heterogeneous log analysis, Human-automation cooperation, Intrusion detection, Machine learning",

author = "Alexandre Dey and Eric Totel and Benjamin Cost{\'e}",

note = "Publisher Copyright: {\textcopyright} 2022, IFIP International Federation for Information Processing.; 37th IFIP International Conference on ICT Systems Security and Privacy Protection, SEC 2022 ; Conference date: 13-06-2022 Through 15-06-2022",

year = "2022",

month = jan,

day = "1",

doi = "10.1007/978-3-031-06975-8\_4",

language = "English",

isbn = "9783031069741",

series = "IFIP Advances in Information and Communication Technology",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "53--69",

editor = "Weizhi Meng and Simone Fischer-H{\"u}bner and Jensen, \{Christian D.\}",

booktitle = "ICT Systems Security and Privacy Protection - 37th IFIP TC 11 International Conference, SEC 2022, Proceedings",

}

Dey, A, Totel, E & Costé, B 2022, DAEMON: Dynamic Auto-encoders for Contextualised Anomaly Detection Applied to Security MONitoring. Dans W Meng, S Fischer-Hübner & CD Jensen (eds), ICT Systems Security and Privacy Protection - 37th IFIP TC 11 International Conference, SEC 2022, Proceedings. IFIP Advances in Information and Communication Technology, VOL. 648 IFIP, Springer Science and Business Media Deutschland GmbH, p. 53-69, 37th IFIP International Conference on ICT Systems Security and Privacy Protection, SEC 2022, Copenhagen, Danemark, 13/06/22. https://doi.org/10.1007/978-3-031-06975-8_4

DAEMON: Dynamic Auto-encoders for Contextualised Anomaly Detection Applied to Security MONitoring. / Dey, Alexandre; Totel, Eric; Costé, Benjamin.
ICT Systems Security and Privacy Protection - 37th IFIP TC 11 International Conference, SEC 2022, Proceedings. Ed. / Weizhi Meng; Simone Fischer-Hübner; Christian D. Jensen. Springer Science and Business Media Deutschland GmbH, 2022. p. 53-69 (IFIP Advances in Information and Communication Technology; Vol 648 IFIP).

Résultats de recherche: Le chapitre dans un livre, un rapport, une anthologie ou une collection › Contribution à une conférence › Revue par des pairs

TY - GEN

T1 - DAEMON

T2 - 37th IFIP International Conference on ICT Systems Security and Privacy Protection, SEC 2022

AU - Dey, Alexandre

AU - Totel, Eric

AU - Costé, Benjamin

PY - 2022/1/1

Y1 - 2022/1/1

N2 - The slow adoption rate of machine learning-based methods for novel attack detection by Security Operation Centers (SOC) analysts can be partly explained by their lack of data science expertise and the insufficient explainability of the results provided by these approaches. In this paper, we present an anomaly-based detection method that fuses events coming from heterogeneous sources into sets describing the same phenomenons and relies on a deep auto-encoder model to highlight anomalies and their context. To implicate security analysts and benefit from their expertise, we focus on limiting the need of data science knowledge during the configuration phase. Results on a lab environment, monitored using off-the-shelf tools, show good detection performances on several attack scenarios (F1 score ≈ 0.9 ), and eases the investigation of anomalies by quickly finding similar anomalies through clustering.

AB - The slow adoption rate of machine learning-based methods for novel attack detection by Security Operation Centers (SOC) analysts can be partly explained by their lack of data science expertise and the insufficient explainability of the results provided by these approaches. In this paper, we present an anomaly-based detection method that fuses events coming from heterogeneous sources into sets describing the same phenomenons and relies on a deep auto-encoder model to highlight anomalies and their context. To implicate security analysts and benefit from their expertise, we focus on limiting the need of data science knowledge during the configuration phase. Results on a lab environment, monitored using off-the-shelf tools, show good detection performances on several attack scenarios (F1 score ≈ 0.9 ), and eases the investigation of anomalies by quickly finding similar anomalies through clustering.

KW - Anomaly detection

KW - Heterogeneous log analysis

KW - Human-automation cooperation

KW - Intrusion detection

KW - Machine learning

UR - https://www.scopus.com/pages/publications/85132889457

U2 - 10.1007/978-3-031-06975-8_4

DO - 10.1007/978-3-031-06975-8_4

M3 - Conference contribution

AN - SCOPUS:85132889457

SN - 9783031069741

T3 - IFIP Advances in Information and Communication Technology

SP - 53

EP - 69

BT - ICT Systems Security and Privacy Protection - 37th IFIP TC 11 International Conference, SEC 2022, Proceedings

A2 - Meng, Weizhi

A2 - Fischer-Hübner, Simone

A2 - Jensen, Christian D.

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 13 June 2022 through 15 June 2022

ER -

Dey A, Totel E, Costé B. DAEMON: Dynamic Auto-encoders for Contextualised Anomaly Detection Applied to Security MONitoring. Dans Meng W, Fischer-Hübner S, Jensen CD, rédacteurs en chef, ICT Systems Security and Privacy Protection - 37th IFIP TC 11 International Conference, SEC 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 53-69. (IFIP Advances in Information and Communication Technology). doi: 10.1007/978-3-031-06975-8_4