Recurrent Neural Network Language Models for Open Vocabulary Event-Level Cyber Anomaly Detection

Tuor, Aaron R.; Baerwolf, Ryan; Knowles, Nicholas; Hutchinson, Brian J.; Nichols, Nicole M.; Jasper, Robert J.

Title: Recurrent Neural Network Language Models for Open Vocabulary Event-Level Cyber Anomaly Detection

Conference · Thu Feb 01 00:00:00 EST 2018

OSTI ID:1529391

Tuor, Aaron R. ^[1]; Baerwolf, Ryan ^[2]; Knowles, Nicholas ^[2]; Hutchinson, Brian J. ^[3]; Nichols, Nicole M. ^[1]; Jasper, Robert J. ^[1]

BATTELLE (PACIFIC NW LAB)
Western Washington University
WESTERN WASHINGTON UNIVERSITY

Automated analysis methods are crucial aids for monitoring and defending a network to protect the sensitive or confidential data it hosts. This work introduces a flexible, powerful, and unsupervised approach to detecting anomalous behavior in computer and network logs; one that largely eliminates domain-dependent feature engineering employed by existing methods. By treating system logs as threads of interleaved ``sentences'' (event log lines) to train online unsupervised neural network language models, our approach provides an adaptive model of normal network behavior. We compare the effectiveness of both standard and bidirectional recurrent neural network language models at detecting malicious activity within network log data. Extending these models, we introduce a tiered recurrent architecture, which provides context by modeling sequences of users' actions over time. Compared to isolation forests and Principal Components Analysis (PCA), two popular anomaly detection algorithms, we observe superior performance on the Los Alamos National Laboratory Cyber Security dataset. For log-line-level predictions, our best performing character-based model provides test set anomaly scores ranking red team events in the 98th percentile on average, and yields 0.97 area under the receiver operator characteristic curve, demonstrating the strong fine-grained anomaly detection performance of this approach on open vocabulary logging sources.

OSTI does not have a digital full text copy available. For more information, please see document availability, search WorldCat, or search Google Scholar.

Cite

Export

Save

Research Organization:: Pacific Northwest National Lab. (PNNL), Richland, WA (United States)

Sponsoring Organization:: USDOE

DOE Contract Number:: AC05-76RL01830

OSTI ID:: 1529391

Report Number(s):: PNNL-SA-130482

Resource Relation:: Conference: Proceedings of the 32nd AAAI Conference on Artificial Intelligence, Workshop for Artificial Intelligence for Cyber Security (AICS 2018), February 2-7, 2018, New Orleans, LA

Country of Publication:: United States

Language:: English

Similar Records

Deep Learning for Unsupervised Insider Threat Detection in Structured Cyber Security Data Streams

Conference · Sat Feb 17 00:00:00 EST 2018 · OSTI ID:1529391

Tuor, Aaron R.; Kaplan, Samuel P.; Hutchinson, Brian J.; +2 more

Optimal vocabulary selection approaches for privacy-preserving deep NLP model training for information extraction and cancer epidemiology

Journal Article · Mon Feb 14 00:00:00 EST 2022 · Cancer Biomarkers · OSTI ID:1529391

Yoon, Hong-Jun; Stanley, Christopher B.; Christian, J. Blair; +11 more

Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams

Conference · Wed Feb 01 00:00:00 EST 2017 · OSTI ID:1529391

Tuor, Aaron R.; Kaplan, Samuel P.; Hutchinson, Brian J.; +2 more

Related Subjects

Cyber Analysis
Deep Learning
language analysis
machine learning
natural language processing
language modeling
Long Short Term Memory

Title: Recurrent Neural Network Language Models for Open Vocabulary Event-Level Cyber Anomaly Detection

Citation Formats

Similar Records

Related Subjects