research-article

Recompose Event Sequences vs. Predict Next Events: A Novel Anomaly Detection Approach for Discrete Event Logs

Authors:

Sencun ZhuAuthors Info & Claims

ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Pages 336 - 348

https://doi.org/10.1145/3433210.3453098

Published: 04 June 2021 Publication History

Abstract

One of the most challenging problems in the field of intrusion detection is anomaly detection for discrete event logs. While most earlier work focused on applying unsupervised learning upon engineered features, most recent work has started to resolve this challenge by applying deep learning methodology to abstraction of discrete event entries. Inspired by natural language processing, LSTM-based anomaly detection models were proposed. They try to predict upcoming events, and raise an anomaly alert when a prediction fails to meet a certain criterion. However, such a predict-next-event methodology has a fundamental limitation: event predictions may not be able to fully exploit the distinctive characteristics of sequences. This limitation leads to high false positives (FPs). It is also critical to examine the structure of sequences and the bi-directional causality among individual events. To this end, we propose a new methodology: Recomposing event sequences as anomaly detection. We propose DabLog, a LSTM-based Deep Autoencoder-Based anomaly detection method for discrete event Logs. The fundamental difference is that, rather than predicting upcoming events, our approach determines whether a sequence is normal or abnormal by analyzing (encoding) and reconstructing (decoding) the given sequence. Our evaluation results show that our new methodology can significantly reduce the numbers of FPs, hence achieving a higher F1 score.

Supplementary Material

MP4 File (dablog_2021-04-28 13-00-29.mp4)

Presentation Video for paper Recompose Event Sequences vs. Predict Next Events: A Novel Anomaly Detection Approach for Discrete Event Logs

Download
64.65 MB

References

[1]

Mejbah Alam, Justin Gottschlich, Nesime Tatbul, Javier Turek, Timothy Mattson, and Abdullah Muzahid. 2017. A Zero-Positive Learning Approach for Diagnosing Software Performance Regressions. arxiv: 1709.07536 [cs.SE]

[2]

Arwa Aldweesh, Abdelouahid Derhab, and Ahmed Z. Emam. 2020. Deep learning approaches for anomaly-based intrusion detection systems: A survey, taxonomy, and open issues. Knowledge-Based Systems, Vol. 189 (2020), 105124.

Digital Library

[3]

Y. Bengio, P. Simard, and P. Frasconi. 1994. Learning long-term dependencies with gradient descent is difficult. IEEE Transactions on Neural Networks, Vol. 5, 2 (1994), 157--166.

Digital Library

[4]

Andy Brown, Aaron Tuor, Brian Hutchinson, and Nicole Nichols. 2018. Recurrent Neural Network Attention Mechanisms for Interpretable System Log Anomaly Detection. In Proceedings of the First Workshop on Machine Learning for Computing Systems (Tempe, AZ, USA) (MLCS'18). Association for Computing Machinery, New York, NY, USA, Article 1, 8 pages.

Digital Library

[5]

Raghavendra Chalapathy, Aditya Krishna Menon, and Sanjay Chawla. 2017. Robust, Deep and Inductive Anomaly Detection. In Machine Learning and Knowledge Discovery in Databases, Michelangelo Ceci, Jaakko Hollmén, Ljupvc o Todorovski, Celine Vens, and Savs o Dvz eroski (Eds.). Springer International Publishing, Cham, 36--51.

[6]

Zouhair Chiba, Noureddine Abghour, Khalid Moussaid, Amina El Omri, and Mohamed Rida. 2018. A novel architecture combined with optimal parameters for back propagation neural networks applied to anomaly network intrusion detection. Computers & Security, Vol. 75 (2018), 36 -- 58.

[7]

Kyunghyun Cho, Bart van Merrienboer, Caglar Gülcehre, Fethi Bougares, Holger Schwenk, and Yoshua Bengio. 2014. Learning Phrase Representations using RNN Encoder-Decoder for Statistical Machine Translation. CoRR, Vol. abs/1406.1078 (2014). arxiv: 1406.1078

[8]

Min Du, Zhi Chen, Chang Liu, Rajvardhan Oak, and Dawn Song. 2019. Lifelong Anomaly Detection Through Unlearning. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS '19). Association for Computing Machinery, New York, NY, USA, 1283--1297.

Digital Library

[9]

M. Du and F. Li. 2016. Spell: Streaming Parsing of System Event Logs. In 2016 IEEE 16th International Conference on Data Mining (ICDM). 859--864.

[10]

Min Du, Feifei Li, Guineng Zheng, and Vivek Srikumar. 2017. DeepLog: Anomaly Detection and Diagnosis from System Logs Through Deep Learning. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (Dallas, Texas, USA) (CCS '17). ACM, New York, NY, USA, 1285--1298.

Digital Library

[11]

M. O. Ezeme, Q. H. Mahmoud, and A. Azim. 2018. Hierarchical Attention-Based Anomaly Detection Model for Embedded Operating Systems. In 2018 IEEE 24th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA). 225--231.

[12]

O. M. Ezeme, Q. H. Mahmoud, and A. Azim. 2019. DReAM: Deep Recursive Attentive Model for Anomaly Detection in Kernel Events. IEEE Access, Vol. 7 (2019), 18860--18870.

[13]

Filipe Falcao, Tommaso Zoppi, Caio Barbosa Viera Silva, Anderson Santos, Baldoino Fonseca, Andrea Ceccarelli, and Andrea Bondavalli. 2019. Quantitative Comparison of Unsupervised Anomaly Detection Algorithms for Intrusion Detection. In Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing (Limassol, Cyprus) (SAC '19). Association for Computing Machinery, New York, NY, USA, 318--327.

Digital Library

[14]

Alex Graves, Abdelrahman Mohamed, and Geoffrey Hinton. 2013. Speech Recognition with Deep Recurrent Neural Networks. arxiv: 1303.5778 [cs.NE]

[15]

Klaus Greff, Rupesh Kumar Srivastava, Jan Koutn'i k, Bas R. Steunebrink, and Jürgen Schmidhuber. 2015. LSTM: A Search Space Odyssey. CoRR, Vol. abs/1503.04069 (2015). arxiv: 1503.04069

[16]

Michiel Hermans and Benjamin Schrauwen. 2013. Training and Analysing Deep Recurrent Neural Networks. In Advances in Neural Information Processing Systems 26, C. J. C. Burges, L. Bottou, M. Welling, Z. Ghahramani, and K. Q. Weinberger (Eds.). Curran Associates, Inc., 190--198.

Digital Library

[17]

Sepp Hochreiter and Jürgen Schmidhuber. 1997. Long Short-Term Memory. Neural Computation, Vol. 9, 8 (1997), 1735--1780.

Digital Library

[18]

Q. Hu, B. Tang, and D. Lin. 2017. Anomalous User Activity Detection in Enterprise Multi-source Logs. In 2017 IEEE International Conference on Data Mining Workshops (ICDMW). 797--803.

[19]

Rafal Jozefowicz, Wojciech Zaremba, and Ilya Sutskever. 2015. An empirical exploration of recurrent network architectures. In International conference on machine learning. 2342--2350.

Digital Library

[20]

Tayeb Kenaza, Khadidja Bennaceur, and Abdenour Labed. 2018. An Efficient Hybrid SVDD/Clustering Approach for Anomaly-Based Intrusion Detection. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing (Pau, France) (SAC '18). Association for Computing Machinery, New York, NY, USA, 435--443.

Digital Library

[21]

Fucheng Liu, Yu Wen, Dongxue Zhang, Xihe Jiang, Xinyu Xing, and Dan Meng. 2019 b. Log2vec: A Heterogeneous Graph Embedding Based Approach for Detecting Cyber Threats within Enterprise. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS '19). Association for Computing Machinery, New York, NY, USA, 1777--1794.

Digital Library

[22]

L. Liu, C. Chen, J. Zhang, O. De Vel, and Y. Xiang. 2019. Insider Threat Identification Using the Simultaneous Neural Learning of Multi-Source Logs. IEEE Access, Vol. 7 (2019), 183162--183176.

[23]

Liu Liu, Chao Chen, Jun Zhang, Olivier De Vel, and Yang Xiang. 2019 a. Unsupervised Insider Detection Through Neural Feature Learning and Model Optimisation. In Network and System Security, Joseph K. Liu and Xinyi Huang (Eds.). Springer International Publishing, Cham, 18--36.

[24]

L. Liu, O. De Vel, C. Chen, J. Zhang, and Y. Xiang. 2018a. Anomaly-Based Insider Threat Detection Using Deep Autoencoders. In 2018 IEEE International Conference on Data Mining Workshops (ICDMW). 39--48.

[25]

Z. Liu, T. Qin, X. Guan, H. Jiang, and C. Wang. 2018b. An Integrated Method for Anomaly Detection From Massive System Logs. IEEE Access, Vol. 6 (2018), 30602--30611.

[26]

X. Lu, W. Zhang, and J. Huang. 2020. Exploiting Embedding Manifold of Autoencoders for Hyperspectral Anomaly Detection. IEEE Transactions on Geoscience and Remote Sensing, Vol. 58, 3 (March 2020), 1527--1537.

[27]

Marcus A. Maloof and Gregory D. Stephens. 2007. ELICIT: A System for Detecting Insiders Who Violate Need-to-Know. In Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection (Gold Goast, Australia) (RAID'07). Springer-Verlag, Berlin, Heidelberg, 146--166.

[28]

Yisroel Mirsky, Tomer Doitshman, Yuval Elovici, and Asaf Shabtai. 2018. Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection. arxiv: 1802.09089 [cs.CR]

[29]

N. Moustafa and J. Slay. 2015. UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In 2015 Military Communications and Information Systems Conference (MilCIS). 1--6.

[30]

Q. P. Nguyen, K. W. Lim, D. M. Divakaran, K. H. Low, and M. C. Chan. 2019. GEE: A Gradient-based Explainable Variational Autoencoder for Network Anomaly Detection. In 2019 IEEE Conference on Communications and Network Security (CNS). 91--99.

[31]

A. Oprea, Z. Li, T. Yen, S. H. Chin, and S. Alrwais. 2015. Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data. In 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 45--56.

[32]

Razvan Pascanu, Caglar Gulcehre, Kyunghyun Cho, and Yoshua Bengio. 2013. How to Construct Deep Recurrent Neural Networks. arxiv: 1312.6026 [cs.NE]

[33]

Yuval Pinter, Robert Guthrie, and Jacob Eisenstein. 2017. Mimicking Word Embeddings using Subword RNNs. In Proceedings of the 2017 Conference on Empirical Methods in Natural Language Processing. Association for Computational Linguistics, Copenhagen, Denmark, 102--112.

[34]

Mayu Sakurada and Takehisa Yairi. 2014. Anomaly Detection Using Autoencoders with Nonlinear Dimensionality Reduction. In Proceedings of the MLSDA 2014 2nd Workshop on Machine Learning for Sensory Data Analysis (Gold Coast, Australia QLD, Australia) (MLSDA'14). Association for Computing Machinery, New York, NY, USA, 4--11.

Digital Library

[35]

N. Shone, T. N. Ngoc, V. D. Phai, and Q. Shi. 2018. A Deep Learning Approach to Network Intrusion Detection. IEEE Transactions on Emerging Topics in Computational Intelligence, Vol. 2, 1 (Feb 2018), 41--50.

[36]

Nitish Srivastava, Elman Mansimov, and Ruslan Salakhutdinov. 2015. Unsupervised Learning of Video Representations using LSTMs. CoRR, Vol. abs/1502.04681 (2015). arxiv: 1502.04681

[37]

Xuhong Wang, Ying Du, Shijie Lin, Ping Cui, Yuntian Shen, and Yupu Yang. 2020. adVAE: A self-adversarial variational autoencoder with Gaussian anomaly prior knowledge for anomaly detection. Knowledge-Based Systems, Vol. 190 (2020), 105187.

Digital Library

[38]

Wei Xu, Ling Huang, Armando Fox, David Patterson, and Michael Jordan. 2009a. Online System Problem Detection by Mining Patterns of Console Logs. In Proceedings of the 2009 Ninth IEEE International Conference on Data Mining (ICDM '09). IEEE Computer Society, USA, 588--597.

Digital Library

[39]

Wei Xu, Ling Huang, Armando Fox, David Patterson, and Michael I. Jordan. 2009b. Detecting Large-Scale System Problems by Mining Console Logs. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles (Big Sky, Montana, USA) (SOSP '09). Association for Computing Machinery, New York, NY, USA, 117--132.

[40]

R. Yang, D. Qu, Y. Gao, Y. Qian, and Y. Tang. 2019. nLSALog: An Anomaly Detection Framework for Log Sequence in Security Management. IEEE Access, Vol. 7 (2019), 181152--181164.

[41]

M. Yousefi-Azar, V. Varadharajan, L. Hamey, and U. Tupakula. 2017. Autoencoder-based feature learning for cyber security applications. In 2017 International Joint Conference on Neural Networks (IJCNN). 3854--3861.

[42]

Chong Zhou and Randy C. Paffenroth. 2017. Anomaly Detection with Robust Deep Autoencoders. In Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (Halifax, NS, Canada) (KDD '17). Association for Computing Machinery, New York, NY, USA, 665--674.

Digital Library

[43]

Bo Zong, Qi Song, Martin Renqiang Min, Wei Cheng, Cristian Lumezanu, Daeki Cho, and Haifeng Chen. 2018. Deep Autoencoding Gaussian Mixture Model for Unsupervised Anomaly Detection. In International Conference on Learning Representations.

Cited By

Almodovar CSabrina FKarimi SAzad S(2024)LogFiT: Log Anomaly Detection Using Fine-Tuned Language ModelsIEEE Transactions on Network and Service Management10.1109/TNSM.2024.335873021:2(1715-1723)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2024.3358730
Flood REngelen GAspinall DDesmet L(2024)Bad Design Smells in Benchmark NIDS Datasets2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00042(658-675)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00042
Lupton SWashizaki HYoshioka NFukazawa Y(2024)Landscape and Taxonomy of Online Parser-Supported Log Anomaly Detection MethodsIEEE Access10.1109/ACCESS.2024.338728712(78193-78218)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3387287
Show More Cited By

Index Terms

Recompose Event Sequences vs. Predict Next Events: A Novel Anomaly Detection Approach for Discrete Event Logs
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

MADDC: Multi-Scale Anomaly Detection, Diagnosis and Correction for Discrete Event Logs
ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

Anomaly detection for discrete event logs can provide critical information for building secure and reliable systems in various application domains, such as large scale data centers, autonomous driving, and intrusion detection. However, the task is very ...
Event log anomaly detection method based on auto-encoder and control flow
Abstract
Anomaly detection is widely used in the field of business process management, and researchers have proposed various anomaly detection algorithms to detect anomalies in event logs. However, existing research focuses on detecting anomalies in event ...
Reliable detection of episodes in event sequences

Suppose one wants to detect bad or suspicious subsequences in event sequences. Whether an observed pattern of activity (in the form of a particular subsequence) is significant and should be a cause for alarm depends on how likely it is to occur ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

May 2021

975 pages

ISBN:9781450382878

DOI:10.1145/3433210

General Chairs:
Jiannong Cao
The Hong Kong Polytechnic University, Hong Kong
,
Man Ho Au
The University of Hong Kong, Hong Kong
,
Program Chairs:
Zhiqiang Lin
The Ohio State University, USA
,
Moti Yung
Google and Columbia University, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 June 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '21

Sponsor:

SIGSAC

ASIA CCS '21: ACM Asia Conference on Computer and Communications Security

June 7 - 11, 2021

Virtual Event, Hong Kong

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
401
Total Downloads

Downloads (Last 12 months)63
Downloads (Last 6 weeks)15

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Almodovar CSabrina FKarimi SAzad S(2024)LogFiT: Log Anomaly Detection Using Fine-Tuned Language ModelsIEEE Transactions on Network and Service Management10.1109/TNSM.2024.335873021:2(1715-1723)Online publication date: Apr-2024
https://doi.org/10.1109/TNSM.2024.3358730
Flood REngelen GAspinall DDesmet L(2024)Bad Design Smells in Benchmark NIDS Datasets2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00042(658-675)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00042
Lupton SWashizaki HYoshioka NFukazawa Y(2024)Landscape and Taxonomy of Online Parser-Supported Log Anomaly Detection MethodsIEEE Access10.1109/ACCESS.2024.338728712(78193-78218)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3387287
Maezo RRey A(2023)Boosted CSIRT with AI powered open source framework2023 JNIC Cybersecurity Conference (JNIC)10.23919/JNIC58574.2023.10205787(1-8)Online publication date: 21-Jun-2023
https://doi.org/10.23919/JNIC58574.2023.10205787
Tian ZPatil RGurusamy MMcCloud J(2023)ADSeq-5GCN: Anomaly Detection from Network Traffic Sequences in 5G Core Network Control Plane2023 IEEE 24th International Conference on High Performance Switching and Routing (HPSR)10.1109/HPSR57248.2023.10147931(75-82)Online publication date: 5-Jun-2023
https://doi.org/10.1109/HPSR57248.2023.10147931
Apruzzese GLaskov PSchneider J(2023)SoK: Pragmatic Assessment of Machine Learning for Network Intrusion Detection2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00042(592-614)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00042
Singh UMuzaffar AVyas RVyas O(2023)Improving event log quality using autoencoders and performing quantitative analysis with conformance checking2023 13th International Conference on Cloud Computing, Data Science & Engineering (Confluence)10.1109/Confluence56041.2023.10048805(598-604)Online publication date: 19-Jan-2023
https://doi.org/10.1109/Confluence56041.2023.10048805
Zhao CHuang KWu DHan XDu DZhou YLu ZLiu Y(2023)TAElog: A Novel Transformer AutoEncoder-Based Log Anomaly Detection MethodInformation Security and Cryptology10.1007/978-981-97-0945-8_3(37-52)Online publication date: 9-Dec-2023
https://dl.acm.org/doi/10.1007/978-981-97-0945-8_3
Li DYang LZhang HWang XMa L(2022)Memory-Augmented Insider Threat Detection with Temporal-Spatial FusionSecurity and Communication Networks10.1155/2022/64184202022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/6418420
Wang XYang LLi DMa LHe YXiao JLiu JYang Y(2022)MADDC: Multi-Scale Anomaly Detection, Diagnosis and Correction for Discrete Event LogsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567972(769-784)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567972

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents