Multi-Dimensional Anomalous Entity Detection via Poisson Tensor Factorization

Thumbnail Image

Files

09280524.pdf (2.42 MB)

Links to Files

https://ieeexplore.ieee.org/abstract/document/9280524

Permanent Link

https://doi.org/10.1109/ISI49825.2020.9280524
 http://hdl.handle.net/11603/20287

Collections

UMBC Computer Science and Electrical Engineering Department
UMBC Student Collection

Author/Creator

Author/Creator ORCID

Date

2020-12-08

Type of Work

conference papers and proceedings
Text

Department

Program

Citation of Original Publication

Eren, Maksim E.; Moore, Juston S.; Alexandro, Boian S.; Multi-Dimensional Anomalous Entity Detection via Poisson Tensor Factorization; 2020 IEEE International Conference on Intelligence and Security Informatics (ISI); https://ieeexplore.ieee.org/abstract/document/9280524

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Public Domain Mark 1.0
This work was written as part of one of the author's official duties as an Employee of the United States Government and is therefore a work of the United States Government. In accordance with 17 U.S.C. 105, no copyright protection is available for such works under U.S. Law.

Subjects

Abstract

As the attack surfaces of large enterprise networks grow, anomaly detection systems based on statistical user behavior analysis play a crucial role in identifying malicious activities. Previous work has shown that link prediction algorithms based on non-negative matrix factorization learn highly accurate predictive models of user actions. However, most statistical link prediction models have been constructed on bipartite graphs, and fail to capture the nuanced, multi-faceted details of a user’s activity profile. This paper establishes a new benchmark for red team event detection on the Los Alamos National Laboratory Unified Host and Network Dataset by applying a tensor factorization model that exploits the multi-dimensional and sparse structure of user authentication logs. We show that learning patterns of normal activity across multiple dimensions in one unified statistical framework yields improved detection of penetration testing events. We further show operational value by developing fusion methods that can identify anomalous users, source devices, and destination devices in the network.