A Graph-based Framework for Reducing False Positives in Authentication Alerts in Security Systems
Authors: 
Yanbang Wang, Karl Hallgren, and Jonathan LarsonAuthors Info & Claims
Yanbang Wang, Karl Hallgren, and Jonathan LarsonAuthors Info & ClaimsMay 2024
Pages 274 - 283
Abstract
The high false positive (FP) rate of authentication alerts remains to be a prominent challenge in cybersecurity nowadays. We identify two problems that cause this issue, which are unaddressed in existing learning-based anomaly detection methods. First, in industrial applications, ground-truth labels for malicious authentication events are extremely scarce. Therefore, learning-based methods must optimize their procedures for auto-generating high-quality training instances, an aspect that existing works have overlooked. Second, every existing model is based on a single form of data representation, either stream or graph snapshot, which may not be expressive enough to identify heterogeneity in behaviors of networked entities. This results in misclassifying a legitimate but differently-behaved authentication event into an anomalous one. We address these problems by proposing a new framework based on self-supervised link prediction on dynamic authentication networks, with two highlighted features: (1) our framework is based on the unification of two most popular views of dynamic interconnected systems: graph snapshots and link stream, ensuring the best coverage of behavioral heterogeneity; (2) to generate high-quality training samples, we propose a carefully designed negative sampling procedure called filtered rewiring, to ensure that the negative samples used for training are both truly negative and instructive. We validate our framework on 4 months of authentication data of 125 randomly selected, real organizations that subscribe to Microsoft's defense services.
Supplemental Material
MP4 File
Supplemental video
- Download
- 5.39 MB
References
[1]
Bahman Bahmani, Abdur Chowdhury, and Ashish Goel. 2010. Fast incremental and personalized PageRank. Proceedings of the VLDB Endowment, Vol. 4, 3 (2010), 173--184.
[2]
Lei Cai, Zhengzhang Chen, Chen Luo, Jiaping Gui, Jingchao Ni, Ding Li, and Haifeng Chen. 2021. Structural temporal graph neural networks for anomaly detection in dynamic graphs. In Proceedings of the 30th ACM international conference on Information & Knowledge Management. 3747--3756.
[3]
Tianqi Chen and Carlos Guestrin. 2016. Xgboost: A scalable tree boosting system. In Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining. 785--794.
[4]
Min Du, Feifei Li, Guineng Zheng, and Vivek Srikumar. 2017. Deeplog: Anomaly detection and diagnosis from system logs through deep learning. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. 1285--1298.
[5]
Dhivya Eswaran and Christos Faloutsos. 2018. Sedanspot: Detecting anomalies in edge streams. In 2018 IEEE International conference on data mining (ICDM). IEEE, 953--958.
[6]
Mathieu Garchery and Michael Granitzer. 2020. Adsage: Anomaly detection in sequences of attributed graph edges applied to insider threat detection at fine-grained level. arXiv preprint arXiv:2007.06985 (2020).
[7]
Palash Goyal, Sujit Rokka Chhetri, and Arquimedes Canedo. 2020. dyngraph2vec: Capturing network dynamics using dynamic graph representation learning. Knowledge-Based Systems, Vol. 187 (2020).
[8]
Ehsan Hajiramezanali, Arman Hasanzadeh, Krishna Narayanan, Nick Duffield, Mingyuan Zhou, and Xiaoning Qian. 2019. Variational graph recurrent neural networks. In Advances in Neural Information Processing Systems.
[9]
Xiaoxin He, Xavier Bresson, Thomas Laurent, and Bryan Hooi. 2023. Explanations as features: Llm-based features for text-attributed graphs. arXiv preprint arXiv:2305.19523 (2023).
[10]
Qiang Huang, Jiawei Jiang, Xi Susie Rao, Ce Zhang, Zhichao Han, Zitao Zhang, Xin Wang, Yongjun He, Quanqing Xu, Yang Zhao, et al. 2023. BenchTemp: A General Benchmark for Evaluating Temporal Graph Neural Networks. arXiv preprint arXiv:2308.16385 (2023).
[11]
Ming Jin, Yuan-Fang Li, and Shirui Pan. 2022. Neural temporal walks: Motif-aware representation learning on continuous-time dynamic graphs. Advances in Neural Information Processing Systems, Vol. 35 (2022), 19874--19886.
[12]
Georgios Kaiafas, Georgios Varisteas, Sofiane Lagraa, Radu State, Cu D Nguyen, Thorsten Ries, and Mohamed Ourdane. 2018. Detecting malicious authentication events trustfully. In NOMS 2018--2018 IEEE/IFIP Network Operations and Management Symposium. IEEE, 1--6.
[13]
Thomas N Kipf and Max Welling. 2017. Semi-supervised classification with graph convolutional networks. In International Conference on Learning Representations.
[14]
Keith Levin, Fred Roosta, Michael Mahoney, and Carey Priebe. 2018. Out-of-sample extension of graph adjacency spectral embedding. In International Conference on Machine Learning. PMLR, 2975--2984.
[15]
Pan Li, Yanbang Wang, Hongwei Wang, and Jure Leskovec. 2020. Distance encoding: Design provably more powerful neural networks for graph representation learning. Advances in Neural Information Processing Systems, Vol. 33 (2020), 4465--4478.
[16]
Hao Liu, Jiarui Feng, Lecheng Kong, Ningyue Liang, Dacheng Tao, Yixin Chen, and Muhan Zhang. 2023. One for all: Towards training one graph model for all classification tasks. arXiv preprint arXiv:2310.00149 (2023).
[17]
Franco Manessi, Alessandro Rozza, and Mario Manzo. 2020. Dynamic graph convolutional networks. Pattern Recognition, Vol. 97 (2020).
[18]
Silvia Metelli and Nicholas Heard. 2019. On Bayesian new edge prediction and anomaly detection in computer networks. (2019).
[19]
Alexander Modell, Jonathan Larson, Melissa Turcotte, and Anna Bertiger. 2021. A graph embedding approach to user behavior anomaly detection. In 2021 IEEE International Conference on Big Data (Big Data). IEEE, 2650--2655.
[20]
Aldo Pareja, Giacomo Domeniconi, Jie Chen, Tengfei Ma, Toyotaro Suzumura, Hiroki Kanezashi, Tim Kaler, Tao B Schardl, and Charles E Leiserson. 2020. EvolveGCN: Evolving Graph Convolutional Networks for Dynamic Graphs. In AAAI Conference on Artificial Intelligence.
[21]
Stephen Ranshous, Steve Harenberg, Kshitij Sharma, and Nagiza F Samatova. 2016. A scalable approach for outlier detection in edge streams using sketch-based approximations. In Proceedings of the 2016 SIAM international conference on data mining. SIAM, 189--197.
[22]
Emanuele Rossi, Ben Chamberlain, Fabrizio Frasca, Davide Eynard, Federico Monti, and Michael Bronstein. 2020. Temporal graph networks for deep learning on dynamic graphs. arXiv preprint arXiv:2006.10637 (2020).
[23]
Aravind Sankar, Yanhong Wu, Liang Gou, Wei Zhang, and Hao Yang. 2020. DySAT: Deep Neural Representation Learning on Dynamic Graphs via Self-Attention Networks. In International Conference on Web Search and Data Mining.
[24]
Francesco Sanna Passino, Anna S Bertiger, Joshua C Neil, and Nicholas A Heard. 2021. Link prediction in dynamic networks using random dot product graphs. Data Mining and Knowledge Discovery, Vol. 35, 5 (2021), 2168--2199.
[25]
Francesco Sanna Passino, Melissa JM Turcotte, and Nicholas A Heard. 2022. Graph link prediction in computer networks using poisson matrix factorisation. The Annals of Applied Statistics, Vol. 16, 3 (2022), 1313--1332.
[26]
Franco Scarselli, Marco Gori, Ah Chung Tsoi, Markus Hagenbuchner, and Gabriele Monfardini. 2008. The graph neural network model. IEEE Transactions on Neural Networks, Vol. 20, 1 (2008).
[27]
Neil Shah, Alex Beutel, Bryan Hooi, Leman Akoglu, Stephan Gunnemann, Disha Makhija, Mohit Kumar, and Christos Faloutsos. 2016. Edgecentric: Anomaly detection in edge-attributed networks. In 2016 IEEE 16Th international conference on data mining workshops (ICDMW). IEEE, 327--334.
[28]
Chuan Shi, Yitong Li, Jiawei Zhang, Yizhou Sun, and S Yu Philip. 2016. A survey of heterogeneous information network analysis. IEEE Transactions on Knowledge and Data Engineering, Vol. 29, 1 (2016), 17--37.
[29]
Jimeng Sun, Huiming Qu, Deepayan Chakrabarti, and Christos Faloutsos. 2005. Neighborhood formation and anomaly detection in bipartite graphs. In Fifth IEEE international conference on data mining (ICDM'05). IEEE, 8--pp.
[30]
Yizhou Sun, Jiawei Han, Xifeng Yan, Philip S Yu, and Tianyi Wu. 2011. Pathsim: Meta path-based top-k similarity search in heterogeneous information networks. Proceedings of the VLDB Endowment, Vol. 4, 11 (2011), 992--1003.
[31]
Daniel L Sussman, Minh Tang, Donniell E Fishkind, and Carey E Priebe. 2012. A consistent adjacency spectral embedding for stochastic blockmodel graphs. J. Amer. Statist. Assoc., Vol. 107, 499 (2012), 1119--1128.
[32]
Melissa JM Turcotte, Nicholas A Heard, and Alexander D Kent. 2016. Modelling user behaviour in a network using computer event logs. In Dynamic Networks and Cyber-Security. World Scientific, 67--87.
[33]
Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Łukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. In Advances in Neural Information Processing Systems.
[34]
Yanbang Wang, Yen-Yu Chang, Yunyu Liu, Jure Leskovec, and Pan Li. 2021a. Inductive representation learning in temporal networks via causal anonymous walks. arXiv preprint arXiv:2101.05974 (2021).
[35]
Yanbang Wang, Hejie Cui, and Jon Kleinberg. 2024. Microstructures and Accuracy of Graph Recall by Large Language Models. arXiv preprint arXiv:2402.11821 (2024).
[36]
Yanbang Wang and Jon Kleinberg. 2024 a. From Graphs to Hypergraphs: Hypergraph Projection and its Remediation. arXiv preprint arXiv:2401.08519 (2024).
[37]
Yanbang Wang and Jon Kleinberg. 2024 b. On the Relationship Between Relevance and Conflict in Online Social Link Recommendations. Advances in Neural Information Processing Systems, Vol. 36 (2024).
[38]
Yanbang Wang, Pan Li, Chongyang Bai, and Jure Leskovec. 2021b. Tedic: Neural modeling of behavioral patterns in dynamic social interaction networks. In Proceedings of the Web Conference 2021. 693--705.
[39]
Yanbang Wang, Pan Li, Chongyang Bai, V Subrahmanian, and Jure Leskovec. 2020. Generic representation learning for dynamic social interaction. In Proc. 26th ACM SIGKDD Int. Conf. Knowl. Discovery Data Mining Workshop.
[40]
Renzheng Wei, Lijun Cai, Aimin Yu, and Dan Meng. 2020. Age: authentication graph embedding for detecting anomalous login activities. In Information and Communications Security: 21st International Conference, ICICS 2019, Beijing, China, December 15--17, 2019, Revised Selected Papers 21. Springer, 341--356.
[41]
Markus Wurzenberger, Florian Skopik, Max Landauer, Philipp Greitbauer, Roman Fiedler, and Wolfgang Kastner. 2017. Incremental clustering for semi-supervised anomaly detection applied on log data. In Proceedings of the 12th International Conference on Availability, Reliability and Security. 1--6.
[42]
Da Xu, Chuanwei Ruan, Evren Korpeoglu, Sushant Kumar, and Kannan Achan. 2020. Inductive Representation Learning on Temporal Graphs. In International Conference on Learning Representation.
[43]
Haoteng Yin, Yanbang Wang, and Pan Li. 2020. Revisiting graph neural networks and distance encoding from a practical view. arXiv preprint arXiv:2011.12228 (2020).
[44]
Minji Yoon, Bryan Hooi, Kijung Shin, and Christos Faloutsos. 2019. Fast and accurate anomaly detection in dynamic graphs with a two-pronged approach. In Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 647--657.
[45]
Wenchao Yu, Wei Cheng, Charu C Aggarwal, Kai Zhang, Haifeng Chen, and Wei Wang. 2018. Netwalk: A flexible deep embedding approach for anomaly detection in dynamic networks. In Proceedings of the 24th ACM SIGKDD international conference on knowledge discovery & data mining. 2672--2681.
[46]
Muhan Zhang and Yixin Chen. 2018. Link prediction based on graph neural networks. Advances in neural information processing systems, Vol. 31 (2018).
[47]
Li Zheng, Zhenpeng Li, Jian Li, Zhao Li, and Jun Gao. 2019. AddGraph: Anomaly Detection in Dynamic Graph Using Attention-based Temporal GCN. In IJCAI, Vol. 3. 7. io
Index Terms
- A Graph-based Framework for Reducing False Positives in Authentication Alerts in Security Systems
Recommendations
Unknown Attacks Detection Using Feature Extraction from Anomaly-Based IDS Alerts
SAINT '12: Proceedings of the 2012 IEEE/IPSJ 12th International Symposium on Applications and the InternetIntrusion Detection Systems (IDSs) play an important role detecting various kinds of attacks and defend our computer systems from them. There are basically two main types of detection techniques: signature-based and anomaly-based. A signature-based IDS ...
Reducing false positives in intrusion detection systems
A post-processing filter is proposed to reduce false positives in network-based intrusion detection systems. The filter comprises three components, each one of which is based upon statistical properties of the input alert set. Special characteristics of ...
Few-shot weakly-supervised cybersecurity anomaly detection
AbstractWith increased reliance on Internet based technologies, cyberattacks compromising users’ sensitive data are becoming more prevalent. The scale and frequency of these attacks are escalating rapidly, affecting systems and devices connected to the ...
Comments
Information & Contributors
Information
Published In
May 2024
1928 pages
ISBN:9798400701726
DOI:10.1145/3589335
- General Chairs:
- Tat-Seng Chua,
- Chong-Wah Ngo,
- Proceedings Chair:
- Roy Ka-Wei Lee,
- Program Chairs:
- Ravi Kumar,
- Hady W. Lauw
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 13 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
WWW '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,899 of 8,196 submissions, 23%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 50Total Downloads
- Downloads (Last 12 months)50
- Downloads (Last 6 weeks)18
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in