research-article

Efficient Discovery of Abnormal Event Sequences in Enterprise Security Systems

Authors:

Zhengzhang Chen,

Hui (Wendy) Wang,

Haifeng ChenAuthors Info & Claims

CIKM '17: Proceedings of the 2017 ACM on Conference on Information and Knowledge Management

Pages 707 - 715

https://doi.org/10.1145/3132847.3132854

Published: 06 November 2017 Publication History

Abstract

Intrusion detection system (IDS) is an important part of enterprise security system architecture. In particular, anomaly-based IDS has been widely applied to detect single abnormal process events that deviate from the majority. However, intrusion activity usually consists of a series of low-level heterogeneous events. The gap between low-level process events and high-level intrusion activities makes it particularly challenging to identify process events that are truly involved in a real malicious activity, and especially considering the massive 'noisy' events filling the event sequences. Hence, the existing work that focus on detecting single events can hardly achieve high detection accuracy. In this work, we formulate a novel problem in intrusion detection - suspicious event sequence discovery, and propose GID, an efficient graph-based intrusion detection technique that can identify abnormal event sequences from massive heterogeneous process traces with high accuracy. We fully implement GID and deploy it into a real-world enterprise security system, and it greatly helps detect the advanced threats and optimize the incident response. Executing GID on both static and streaming data shows that GID is efficient (processes about 2 million records per minute) and accurate for intrusion detection.

References

[1]

Niels Becker. 2013. Ranking on multipartite graphs. Diploma Thesis. Ludwig Maximilian University of Munich, Munich.

[2]

Richard Bellman. 1961. Adaptive control processes: a guided tour. Princeton University Press.

[3]

Marco Caselli, Emmanuele Zambon, and Frank Kargl. 2015. Sequence-aware intrusion detection in industrial control systems. In Proceedings of the Workshop on Cyber-Physical System Security. 13--24.

Digital Library

[4]

Hans Chalupsky et al. 2003. Unsupervised link discovery in multi-relational data via rarity analysis. In Proceedings of the International Conference on Data Mining (ICDM). 171--178.

Digital Library

[5]

Chao Chen, Daqing Zhang, Pablo Samuel Castro, Nan Li, Lin Sun, Shijian Li, and Zonghui Wang. 2013. iBOAT: Isolation-based online anomalous trajectory detection. IEEE Transactions on Intelligent Transportation Systems (2013).

Digital Library

[6]

Zhengzhang Chen, William Hendrix, Hang Guan, Isaac K. Tetteh, Alok Choudhary, Fredrick Semazzi, and Nagiza F. Samatova. 2013. Discovery of extreme events-related communities in contrasting groups of physical system networks. Data Min. Knowl. Discov. 27, 2 (Sept. 2013), 225--258.

Digital Library

[7]

Zhengzhang Chen, William Hendrix, and Nagiza F. Samatova. 2012. Communitybased anomaly detection in evolutionary networks. J. Intell. Inf. Syst. 39, 1 (Aug. 2012), 59--85.

Digital Library

[8]

Abhishek Das, Gokhan Memik, Joseph Zambreno, and Alok Choudhary. 2010. Detecting/preventing information leakage on the memory bus due to malicious hardware. In Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 861--866.

Digital Library

[9]

JP Jarvis and Douglas R Shier. 1999. Graph-theoretic analysis of finite Markov chains. Applied Mathematical Modeling: A Multidisciplinary Approach (1999).

[10]

Glen Jeh and Jennifer Widom. 2003. Scaling personalized web search. In Proceedings of the International Conference on World Wide Web (WWW). 271--279.

Digital Library

[11]

Anita K Jones and Robert S Sielken. 2000. Computer system intrusion detection: a survey. Computer Science Technical Report (2000), 1--25.

[12]

V Jyothsna, VV Rama Prasad, and K Munivara Prasad. 2011. A review of anomaly based intrusion detection systems. International Journal of Computer Applications 28, 7 (2011), 26--35.

[13]

Ponemon L. 2014. Cost of data breach study: global analysis. Poneomon Institute Sponsored by Symantec (2014).

[14]

Shih-Wei Lin, Kuo-Ching Ying, Chou-Yuan Lee, and Zne-Jung Lee. 2012. An intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection. Applied Soft Computing 12, 10 (2012), 3285--3290.

Digital Library

[15]

HDK Moonesignhe and Pang-Ning Tan. 2006. Outlier detection using random walks. In International Conference on Tools with Artificial Intelligence (ICTAI).

Digital Library

[16]

Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar R Weippl. 2011. Dark clouds on the horizon: using clouds storage as attack vector and online slack space. In USENIX Security Symposium. San Francisco, CA, USA, 65--76.

Digital Library

[17]

Darren Mutz, Fredrik Valeur, Giovanni Vigna, and Christopher Kruegel. 2006. Anomalous system call detection. ACM Transactions on Information and System Security (TISSEC) 9, 1 (2006), 61--93.

Digital Library

[18]

Caleb C Noble and Diane J Cook. 2003. Graph-based anomaly detection. In Proceedings of the ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD). 631--636.

Digital Library

[19]

Jason W Osborne. 2010. Improving your data transformations: applying the Box-Cox transformation. Practical Assessment, Research & Evaluation 15 (2010).

[20]

Kanchana Padmanabhan, Zhengzhang Chen, Sriram Lakshminarasimhan, Siddarth Shankar Ramaswamy, and Bryan Thomas Richardson. 2013. Graph-based anomaly detection. Practical Graph Mining with R (2013), 311.

[21]

Lawrence Page, Sergey Brin, Rajeev Motwani, and Terry Winograd. 1999. The PageRank citation ranking: bringing order to the web. Technical Report. Stanford Digital Library Technologies Project.

[22]

Jia-Yu Pan, Hyung-Jeong Yang, Christos Faloutsos, and Pinar Duygulu. 2004. Automatic multimedia cross-modal correlation discovery. In Proceedings of the ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD).

Digital Library

[23]

Jimeng Sun, Huiming Qu, Deepayan Chakrabarti, and Christos Faloutsos. 2005. Neighborhood formation and anomaly detection in bipartite graphs. In Proceedings of the International Conference on Data Mining (ICDM). 418--425.

Digital Library

[24]

Yizhou Sun, Jiawei Han, Xifeng Yan, Philip S Yu, and Tianyi Wu. 2011. Pathsim: meta path-based top-k similarity search in heterogeneous information networks. In Proceedings of the International Conference on Very Large Databases (VLDB).

Digital Library

[25]

Yusheng Xie, Zhengzhang Chen, Kunpeng Zhang, Chen Jin, Yu Cheng, Ankit Agrawal, and Alok N. Choudhary. 2013. Elver: Recommending Facebook pages in cold start situation without content features. In Proceedings of the 2013 IEEE International Conference on Big Data. 475--479.

Cited By

Zheng LChen ZHe JChen HChua TNgo CKa-Wei Lee RKumar RLauw H(2024)MULAN: Multi-modal Causal Structure Learning and Root Cause Analysis for Microservice SystemsProceedings of the ACM Web Conference 202410.1145/3589334.3645442(4107-4116)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645442
Najafi PPuenter WCheng FMeinel C(2024)You are your friends: Detecting malware via guilt-by-association and exempt-by-reputationComputers & Security10.1016/j.cose.2023.103519136(103519)Online publication date: Jan-2024
https://doi.org/10.1016/j.cose.2023.103519
Wang DChen ZNi JTong LWang ZFu YChen HSingh ASun YAkoglu LGunopulos DYan XKumar ROzcan FYe J(2023)Interdependent Causal Networks for Root Cause LocalizationProceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining10.1145/3580305.3599849(5051-5060)Online publication date: 6-Aug-2023
https://dl.acm.org/doi/10.1145/3580305.3599849
Show More Cited By

Index Terms

Efficient Discovery of Abnormal Event Sequences in Enterprise Security Systems
1. Information systems
  1. Information systems applications
    1. Data mining
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
  2. Systems security
    1. Information flow control

Recommendations

Collaborative Alert Ranking for Anomaly Detection
CIKM '18: Proceedings of the 27th ACM International Conference on Information and Knowledge Management

Given a large number of low-quality heterogeneous categorical alerts collected from an anomaly detection system, how to characterize the complex relationships between different alerts and deliver trustworthy rankings to end users? While existing ...
Rule generalisation in intrusion detection systems using SNORT

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Using artificial anomalies to detect unknown and known network intrusions

Intrusion detection systems (IDSs) must be capable of detecting new and unknown attacks, or anomalies. We study the problem of building detection models for both pure anomaly detection and combined misuse and anomaly detection (i.e., detection of both ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CIKM '17: Proceedings of the 2017 ACM on Conference on Information and Knowledge Management

November 2017

2604 pages

ISBN:9781450349185

DOI:10.1145/3132847

General Chairs:
Ee-Peng Lim
Singapore Management University, Singapore
,
Marianne Winslett
University of Illinois at Urbana-Champaign, USA, and Advanced Digital Sciences Center, Singapore
,
Program Chairs:
Mark Sanderson
RMIT, Australia
,
Ada Fu
Chinese University of Hong Kong, Hong Kong
,
Jimeng Sun
Georgia Tech, USA
,
Shane Culpepper
RMIT, Australia
,
Eric Lo
Chinese University of Hong Kong, Hong Kong
,
Joyce Ho
Emory University, USA
,
Debora Donato
Mix Tech, Inc., USA
,
Rakesh Agrawal
Data Insights Laboratories, USA
,
Yu Zheng
Microsoft Research Asia, China
,
Carlos Castillo
Qatar Computing Research Institute, Qatar
,
Aixin Sun
Nanyang Technological University, Singapore
,
Vincent S. Tseng
National Cheng Kung University, Taiwan
,
Chenliang Li
Wuhan University, China

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 November 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CIKM '17

Sponsor:

CIKM '17: ACM Conference on Information and Knowledge Management

November 6 - 10, 2017

Singapore, Singapore

Acceptance Rates

CIKM '17 Paper Acceptance Rate 171 of 855 submissions, 20%;

Overall Acceptance Rate 1,861 of 8,427 submissions, 22%

Upcoming Conference

CIKM '25

Sponsor:
sigir
sigir

The 34th ACM International Conference on Information and Knowledge Management

November 10 - 14, 2025

Seoul , Republic of Korea

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
353
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)2

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zheng LChen ZHe JChen HChua TNgo CKa-Wei Lee RKumar RLauw H(2024)MULAN: Multi-modal Causal Structure Learning and Root Cause Analysis for Microservice SystemsProceedings of the ACM Web Conference 202410.1145/3589334.3645442(4107-4116)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645442
Najafi PPuenter WCheng FMeinel C(2024)You are your friends: Detecting malware via guilt-by-association and exempt-by-reputationComputers & Security10.1016/j.cose.2023.103519136(103519)Online publication date: Jan-2024
https://doi.org/10.1016/j.cose.2023.103519
Wang DChen ZNi JTong LWang ZFu YChen HSingh ASun YAkoglu LGunopulos DYan XKumar ROzcan FYe J(2023)Interdependent Causal Networks for Root Cause LocalizationProceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining10.1145/3580305.3599849(5051-5060)Online publication date: 6-Aug-2023
https://dl.acm.org/doi/10.1145/3580305.3599849
Guo JTang SLi JPan KWu L(2023)RustGraph: Robust Anomaly Detection in Dynamic Graphs by Jointly Learning Structural-Temporal DependencyIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2023.332864536:7(3472-3485)Online publication date: 30-Oct-2023
https://dl.acm.org/doi/10.1109/TKDE.2023.3328645
Li YLiu YWang HChen ZCheng WChen YYu WChen HLiu C(2023)GLAD: Content-Aware Dynamic Graphs For Log Anomaly Detection2023 IEEE International Conference on Knowledge Graph (ICKG)10.1109/ICKG59574.2023.00007(9-18)Online publication date: 1-Dec-2023
https://doi.org/10.1109/ICKG59574.2023.00007
Mishra AJabar TAlzoubi YMishra K(2023)Enhancing privacy‐preserving mechanisms in Cloud storage: A novel conceptual frameworkConcurrency and Computation: Practice and Experience10.1002/cpe.783135:26Online publication date: 22-Jun-2023
https://doi.org/10.1002/cpe.7831
Hao JTang LSun YChen ZChen HRhee JLi ZWang W(2022)Multi-source Inductive Knowledge Graph TransferMachine Learning and Knowledge Discovery in Databases10.1007/978-3-031-26390-3_10(155-171)Online publication date: 19-Sep-2022
https://dl.acm.org/doi/10.1007/978-3-031-26390-3_10
Cai LChen ZLuo CGui JNi JLi DChen HDemartini GZuccon GCulpepper JHuang ZTong H(2021)Structural Temporal Graph Neural Networks for Anomaly Detection in Dynamic GraphsProceedings of the 30th ACM International Conference on Information & Knowledge Management10.1145/3459637.3481955(3747-3756)Online publication date: 26-Oct-2021
https://dl.acm.org/doi/10.1145/3459637.3481955
Wang ZChen ZNi JLiu HChen HTang JZhu FChin Ooi BMiao CWang HSkrypnyk IHsu WChawla S(2021)Multi-Scale One-Class Recurrent Neural Networks for Discrete Event Sequence Anomaly DetectionProceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining10.1145/3447548.3467125(3726-3734)Online publication date: 14-Aug-2021
https://dl.acm.org/doi/10.1145/3447548.3467125
Mei RYan HHan ZJiang J(2021)CTSCOPY: Hunting Cyber Threats within Enterprise via Provenance Graph-based Analysis2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS54544.2021.00014(28-39)Online publication date: Dec-2021
https://doi.org/10.1109/QRS54544.2021.00014
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten