Multi-Dimensional Anomalous Entity Detection via Poisson Tensor Factorization
| dc.contributor.author | Eren, Maksim E. | |
| dc.contributor.author | Moore, Juston S. | |
| dc.contributor.author | Alexandro, Boian S. | |
| dc.date.accessioned | 2021-01-04T21:38:01Z | |
| dc.date.available | 2021-01-04T21:38:01Z | |
| dc.date.issued | 2020-12-08 | |
| dc.description | 2020 IEEE International Conference on Intelligence and Security Informatics (ISI) | en_US |
| dc.description.abstract | As the attack surfaces of large enterprise networks grow, anomaly detection systems based on statistical user behavior analysis play a crucial role in identifying malicious activities. Previous work has shown that link prediction algorithms based on non-negative matrix factorization learn highly accurate predictive models of user actions. However, most statistical link prediction models have been constructed on bipartite graphs, and fail to capture the nuanced, multi-faceted details of a user’s activity profile. This paper establishes a new benchmark for red team event detection on the Los Alamos National Laboratory Unified Host and Network Dataset by applying a tensor factorization model that exploits the multi-dimensional and sparse structure of user authentication logs. We show that learning patterns of normal activity across multiple dimensions in one unified statistical framework yields improved detection of penetration testing events. We further show operational value by developing fusion methods that can identify anomalous users, source devices, and destination devices in the network. | en_US |
| dc.description.sponsorship | We thank Lissa Moore for helpful suggestions and edits, and Francesco Sanna Passino and Melissa Turcotte for providing valuable feedback and shared attribute mappings. Research presented in this paper was supported by the Information Science and Technology Institute’s CyberToaster Research school, and by the Laboratory Directed Research and Development program of Los Alamos National Laboratory (LANL) under project numbers 20190020DR and 20200666DI. LANL is operated by Triad National Security, LLC, for the National Nuclear Security Administration of the U.S. Department of Energy (Contract No. 89233218CNA000001). | en_US |
| dc.description.uri | https://ieeexplore.ieee.org/abstract/document/9280524 | en_US |
| dc.format.extent | 6 pages | en_US |
| dc.genre | conference papers and proceedings | en_US |
| dc.identifier | doi:10.13016/m2l0a5-sp8r | |
| dc.identifier.citation | Eren, Maksim E.; Moore, Juston S.; Alexandro, Boian S.; Multi-Dimensional Anomalous Entity Detection via Poisson Tensor Factorization; 2020 IEEE International Conference on Intelligence and Security Informatics (ISI); https://ieeexplore.ieee.org/abstract/document/9280524 | en_US |
| dc.identifier.uri | https://doi.org/10.1109/ISI49825.2020.9280524 | |
| dc.identifier.uri | http://hdl.handle.net/11603/20287 | |
| dc.language.iso | en_US | en_US |
| dc.publisher | IEEE | en_US |
| dc.relation.isAvailableAt | The University of Maryland, Baltimore County (UMBC) | |
| dc.relation.ispartof | UMBC Computer Science and Electrical Engineering Department Collection | |
| dc.relation.ispartof | UMBC Student Collection | |
| dc.rights | This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author. | |
| dc.rights | Public Domain Mark 1.0 | * |
| dc.rights | This work was written as part of one of the author's official duties as an Employee of the United States Government and is therefore a work of the United States Government. In accordance with 17 U.S.C. 105, no copyright protection is available for such works under U.S. Law. | |
| dc.rights.uri | http://creativecommons.org/publicdomain/mark/1.0/ | * |
| dc.title | Multi-Dimensional Anomalous Entity Detection via Poisson Tensor Factorization | en_US |
| dc.type | Text | en_US |