Paper Info
Title
Efficient Discovery of Abnormal Event Sequences in Enterprise Security Systems.
Abstract
Intrusion detection system (IDS) is an important part of enterprise security system architecture. In particular, anomaly-based IDS has been widely applied to detect single abnormal process events that deviate from the majority. However, intrusion activity usually consists of a series of low-level heterogeneous events. The gap between low-level process events and high-level intrusion activities makes it particularly challenging to identify process events that are truly involved in a real malicious activity, and especially considering the massive 'noisy' events filling the event sequences. Hence, the existing work that focus on detecting single events can hardly achieve high detection accuracy. In this work, we formulate a novel problem in intrusion detection - suspicious event sequence discovery, and propose GID, an efficient graph-based intrusion detection technique that can identify abnormal event sequences from massive heterogeneous process traces with high accuracy. We fully implement GID and deploy it into a real-world enterprise security system, and it greatly helps detect the advanced threats and optimize the incident response. Executing GID on both static and streaming data shows that GID is efficient (processes about 2 million records per minute) and accurate for intrusion detection.
Year
DOI
Venue
2017
10.1145/3132847.3132854
CIKM
Field
DocType
ISBN
Graph,Anomaly detection,Data mining,Incident response,Computer science,Anomaly-based intrusion detection system,Event sequence,Systems architecture,Enterprise information security architecture,Intrusion detection system
Conference
978-1-4503-4918-5
Citations 
PageRank 
References 
3
0.39
11
Authors
8
Name
Order
Citations
PageRank
Boxiang Dong1179.45
Zhengzhang Chen219825.62
Wendy Hui Wang313313.82
Lu An Tang442727.74
Kai Zhang558832.87
Ying Lin651.77
Zhichun Li781441.48
Haifeng Chen876164.79