General-purpose Unsupervised Cyber Anomaly Detection via Non-negative Tensor Factorization
- Los Alamos National Laboratory (LANL), Los Alamos, NM (United States)
- Amazon (United States)
Distinguishing malicious anomalous activities from unusual but benign activities is a fundamental challenge for cyber defenders. Prior studies have shown that statistical user behavior analysis yields accurate detections by learning behavior profiles from observed user activity. These unsupervised models are able to generalize to unseen types of attacks by detecting deviations from normal behavior, without knowledge of specific attack signatures. However, approaches proposed to date based on probabilistic matrix factorization are limited by the information conveyed in a two-dimensional space. Non-negative tensor factorization, on the other hand, is a powerful unsupervised machine learning method that naturally models multi-dimensional data, capturing complex and multi-faceted details of behavior profiles. Herein, our new unsupervised statistical anomaly detection methodology matches or surpasses state-of-the-art supervised learning baselines across several challenging and diverse cyber application areas, including detection of compromised user credentials, botnets, spam e-mails, and fraudulent credit card transactions.
- Research Organization:
- Los Alamos National Laboratory (LANL), Los Alamos, NM (United States)
- Sponsoring Organization:
- USDOE Laboratory Directed Research and Development (LDRD) Program; USDOE National Nuclear Security Administration (NNSA)
- Grant/Contract Number:
- 89233218CNA000001; 20190020DR; 20210043DR
- OSTI ID:
- 2282529
- Alternate ID(s):
- OSTI ID: 1889984
- Report Number(s):
- LA-UR-21-29195; LA-UR-22-21176
- Journal Information:
- Digital Threats: Research and Practice, Vol. 4, Issue 1; ISSN 2692-1626
- Publisher:
- Association for Computing Machinery (ACM)Copyright Statement
- Country of Publication:
- United States
- Language:
- English
Similar Records
Recurrent Neural Network Language Models for Open Vocabulary Event-Level Cyber Anomaly Detection
Support for Reactor Operators in Case of Cyber-Security Threats (NEUP Final Report)
Related Subjects
computing methodologies → anomaly detection
factorization methods
security and privacy → intrusion detection systems
anomaly detection
poisson tensor factorization
non-negative tensor factorization
unsupervised learning
cyber security
CPD
malware
data fusion
ensemble learning
GPU