Annual Computer Security Applications Conference (ACSAC) 2022

Full Program »

MADDC: Multi-Scale Anomaly Detection, Diagnosis and Correction for Discrete Event Logs

Anomaly detection for discrete event logs can provide critical information for building secure and reliable systems in various application domains, such as large scale data centers, autonomous driving, and intrusion detection. However, the task is very challenging due to the lack of a clear understanding and definition of anomaly in the specific problem space, and the log data is often highly complex with temporal correlation. Existing deep learning based methods mostly suffer from such issues as overfitting, uncertainty or low interpretability; consequently, the detection results may be inaccurate, with little information to help security analysts diagnose the reported anomalies with high confidence. To tackle this challenge, in this research, we propose a general framework named MADDC, which aims to (1) accurately perform Multi-scale Anomaly Detection, Diagnosis for discrete event logs, and (2) help analysts further mitigate anomalies based on diagnosis results. Specifically, we first design a new anomaly critic for LSTM variational autoencoder based model to alleviate overfitting and reduce false negatives during anomaly detection. As one of our main contributions, we then introduce process mining technique to build process-centric workflow models in an unsupervised manner, which forms the ‘normal’ context of an event sequence and help perform accurate and consistent anomaly diagnosis through global sequence alignment. Experiments on publicly available datasets show that MADDC not only outperformed several representative methods in terms of detection accuracy, but also could improve the visibility to abnormal deviations from normal execution, hence helping security analysts understand anomalies and make further corrections.

xiaolei Wang
College of Computer, National University of Defense Technology

Lin Yang
National Key Laboratory of Science and Technology on Information System Security, Systems Engineering Institute, AMS

Dongyang Li
National Key Laboratory of Science and Technology on Information System Security, Systems Engineering Institute, AMS

Linru Ma
National Key Laboratory of Science and Technology on Information System Security, Systems Engineering Institute, AMS

Yongzhong He
School of Computer and Information Technology,Beijing Jiaotong University

Junchao Xiao
School of Systems Science and Engineering, Sun Yat-Sen University

Jiyuan Liu
College of Computer, National University of Defense Technology

Yuexiang Yang
College of Computer, National University of Defense Technology

Paper (ACM DL)

Slides

 



Powered by OpenConf®
Copyright©2002-2023 Zakon Group LLC