Abstract
Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will incorrectly report many normal users as anomalies on busy days, which, in turn, leads to a high false positive rate. A method is provided based on compound behavior, which takes into consideration long-term patterns and group behaviors. The provided method leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list.
| Original language | English |
|---|---|
| Patent number | US2022286472 |
| IPC | H04L 9/ 40 A I |
| Priority date | 3/03/22 |
| Publication status | Published - 8 Sept 2022 |