AUTOMATIC GENERATION OF TRAINING DATA FOR ANOMALY DETECTION USING OTHER USER'S DATA SAMPLES
1. A method, comprising:
- for a system or application used by a plurality of users, providing an access to a memory device storing user data samples for all users of the plurality of users;
selecting a target user from among the plurality of users; and
using a processor on a computer and using data samples for the target user and data samples for other users of the plurality of users, generating a normal sample data set and an abnormal (anomalous) sample data set to serve as a training data set for training a model for an anomaly detection monitor for the target user.
A method (and structure) generates a classifier for an anomalous detection monitor for a target user on a system or application used by a plurality of users and includes providing an access to a memory device storing user data samples for all users of the plurality of users. A target user is selected from among the plurality of users. Data samples for the target user and data samples for other users of the plurality of users are used to generate a normal sample data set and an abnormal (anomalous) sample data set to serve as a training data set for training a model for an anomaly detection monitor for the target user.
|SEQUENTIAL ANOMALY DETECTION|
Patent #US 20150052090A1
Current AssigneeInternational Business Machines Corporation
Sponsoring EntityInternational Business Machines Corporation
|COLD START MECHANISM TO PREVENT COMPROMISE OF AUTOMATIC ANOMALY DETECTION SYSTEMS|
Patent #US 20170104773A1
Current AssigneeCisco Technology Incorporated
Sponsoring EntityCisco Technology Incorporated
|Sequential anomaly detection|
Patent #US 9,727,821 B2
Current AssigneeInternational Business Machines Corporation
Sponsoring EntityInternational Business Machines Corporation
|Cold start mechanism to prevent compromise of automatic anomaly detection systems|
Patent #US 9,838,409 B2
Current AssigneeCisco Technology Incorporated
Sponsoring EntityCisco Technology Incorporated
|Systems and methods for improving forest-based malware detection within an organization|
Patent #US 9,942,264 B1
Current AssigneeCA Inc. dba CA Technologies
Sponsoring EntitySymantec Corporation
|COMPUTER SYSTEM PROVIDING ANOMALY DETECTION WITHIN A VIRTUAL COMPUTING SESSIONS AND RELATED METHODS|
Patent #US 20180337936A1
Current AssigneeCitrix Systems Inc.
Sponsoring EntityCitrix Systems Inc.
|Cold start mechanism to prevent compromise of automatic anomaly detection systems|
Patent #US 10,182,066 B2
Current AssigneeCisco Technology Incorporated
Sponsoring EntityCisco Technology Incorporated
|Generic framework to detect cyber threats in electric power grid|
Patent #US 10,452,845 B2
Current AssigneeGeneral Electric Company
Sponsoring EntityGeneral Electric Company
|Generation of a random value for a child process|
Patent #US 10,489,585 B2
Current AssigneeRed Hat Inc.
Sponsoring EntityRed Hat Inc.
|Detecting behavioral anomaly in machine learned rule sets|
Patent #US 10,735,445 B2
Current AssigneeCognizant Technology Solutions U.S. Corporation
Sponsoring EntityCognizant Technology Solutions U.S. Corporation
- 1. A method, comprising:
for a system or application used by a plurality of users, providing an access to a memory device storing user data samples for all users of the plurality of users; selecting a target user from among the plurality of users; and using a processor on a computer and using data samples for the target user and data samples for other users of the plurality of users, generating a normal sample data set and an abnormal (anomalous) sample data set to serve as a training data set for training a model for an anomaly detection monitor for the target user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- 12. An apparatus, comprising:
a memory device; and a processor having access to the memory device, the memory device storing a series of machine-readable instructions to execute a method of generating a normal sample data set and an abnormal (anomalous) sample data set to serve as a classifier for training a model for an anomalous detection monitor for a target user, the target user being one of a plurality of users sharing a system or application, wherein the method comprises; providing an access to a memory device storing user data samples for all users of the plurality of users; selecting a target user from among the plurality of users; and using the processor to generate the normal sample data set and the abnormal sample data set using data samples for the target user and data samples for other users of the plurality of users.
- View Dependent Claims (13, 14, 15, 16, 17)
- 18. An anomaly detector, as executed by a processor on a computer, the anomaly detector comprising a monitor for detecting anomalous behavior by any user of a plurality of users sharing a system or application, the anomaly detector comprising:
an input receiving data related to a current operation of the system or application by the users; a monitor module for each user as a target user, the monitor module for each target user executing a model of the target user to detect whether the target user'"'"'s current operation of the system or application comprises anomalous behavior; and an output to provide an alert signal if any user is detected as demonstrating anomalous behavior, wherein the model for each target user is developed from a classifier based on a normal sample data set and an abnormal sample data set for the target user, and wherein data samples for the target user and data samples for other users of the plurality of users are used to generate the normal sample data set and the abnormal sample data set to serve as a classifier for training the model for the anomalous detection monitor module for the target user.
- View Dependent Claims (19, 20)
The present invention relates to security on computers, and more specifically, a method to train a model for an anomalous behavior monitor for individual users. More specifically, the present invention teaches an adaptation of the Local Outlier Factor (LOF) algorithm to select benign samples from the target user'"'"'s own data points and to select anomalous samples from other system users'"'"' data points so that, both anomalous and benign samples can be obtained for training an anomaly detection model for the target user.
Machine learning (ML) is increasingly used as a key technique in solving many security problems such as botnet detection, transactional fraud, insider threat, etc. Driven by an almost endless stream of well publicized cases, such as Wikileaks and Snowden, of information theft by malicious insiders, there is increased interest for monitoring systems to detect anomalous user behavior. Today, in addition to traditional access control and other security controls, organizations actively deploy activity monitoring mechanisms to detect such attacks. Activity monitoring is done through enforced rules as well as anomaly detection using ML techniques. Thus, anomaly detection has been an important research problem in security analysis.
Anomaly detection, however, has been a challenge in such security analysis. One of the key challenges to the widespread application of ML in security is the lack of labeled samples from real applications. However, in many security applications, it is difficult to obtain labeled samples, as each attack can be unique, and, thus, applying supervised techniques such as multi-class classification is not feasible. Instead, to detect novel, as-yet-unseen attacks, researchers have used unsupervised outlier detection or one-class classification approaches by treating existing samples as benign samples. These methods, however, tend to yield high false positive rates, preventing their adoption in real applications.
To best apply ML techniques, it is ideal if a model can be trained with lots of both anomalous samples and benign samples. This is often very difficult for security applications: it is often unrealistic to expect to gather enough anomalous samples for labeling. This lack of anomalous samples prohibits the applicability of more accurate classification techniques, and, therefore, most existing monitoring applications have adopted anomaly detection or one-class classification techniques. These methods construct a profile of a subject'"'"'s normal behavior using the subject'"'"'s past behavior by treating them as benign samples and compare a new observed behavior with the normal profile, resulting in high false positive cases.
The lack of labeled data can also extend to samples of normal activity. Existing approaches treat the target user'"'"'s behavior in the training period as strictly benign. In some situations, there may be only a small number of samples to learn a user'"'"'s normal behavior, or the user'"'"'s samples actually contain anomalous cases, and, thus, training with this data can result in high false negative rates.
To solve these problems, several anomaly detection methods tried to artificially generate samples as a second class based on some heuristics, thereby posing a one-class classification task as a binary classification problem. For example, in a word spotting application, a method artificially enlarges the number of training talkers to increase variability of training samples. One talker'"'"'s speech pattern is transferred to that of a new talker by generating more varied training examples of keywords. In another approach a resampling method is applied to generate a random sample by choosing each of its coordinates randomly from the coordinate values that are in the data.
Later, a distribution-based artificial anomaly generation method was proposed which first measures the density of each feature value in the original data set D and then artificially generates anomaly points near to the normal data points by replacing low-density features with a different value in D. This method assumes that the boundary between the known and anomalous instances is very close to the existing data, hence “near misses” can be safely assumed to be anomalous. However, this method is not applicable to data with a very high dimensionality or with continuous variables.
In yet another approach, the density estimation (unsupervised learning) problem was transformed into one of supervised learning using artificially generated data in the context of association rule learning. A reference model, such as uniform or Gaussian, was used to generate artificial training samples as “contrast” statistics that provide information concerning departures of the data density from the chosen reference density. While these data points are generated from the data, they do not represent actual behavior in most real-world problems. Following this principle, another research group further proposed to employ the training data from the target class to generate artificial data based on a known reference distribution. But it restricted the underlying classification algorithm to produce class probability estimates rather than a binary decision.
Despite some successes of the above methods, they suffer either from strong restrictions, which made them not applicable to problems with high dimensional data, other application domains, or from the requirement of estimating the reference data distribution, which is usually not accurate and may lead to suboptimal performance.
The method of the present invention addresses both these problems/limitations: (1) artificially generated samples that do not reflect real cases; and (2) assuming an underlying data distribution, which is unrealistic in multi-user environments.
According to an exemplary embodiment of the present invention, described herein is a local outlier factor (LOF) based method to automatically generate both benign and malicious training samples from unlabeled data. This LOF-based sampling provides a unified mechanism to filter out bad normal samples and generate potential anomalous samples for each target user.
To accomplish this purpose, the present inventors have observed that, in many monitoring applications, when multiple users share a system, they can be observed as exhibiting distinct behavioral patterns. Examples of such scenarios include user authentication determining the authenticity of a user based on users'"'"' keystroke patterns, insider threat detection identifying deviation of a user'"'"'s access patterns from past behavior, and social network analysis detecting anomaly in a user'"'"'s collaboration patterns.
In each of these scenarios, it would be expected that others'"'"' behavioral patterns would be distinct from those of a target user being monitored for possible abnormal behavioral patterns. Thus, the present inventors have recognized that other users'"'"' samples can be utilized to estimate the target user'"'"'s possible abnormal behavioral patterns, without relying on distribution patterns or generating random samples. The present invention leverages these other users'"'"' samples as “abnormal” samples to help a ML classifier to learn a boundary between the target user'"'"'s expected and unexpected behavior. There are no assumptions made about the distribution of anomalous samples, no manual labeling is necessary, and the approach is independent of any underlying learning algorithm.
Upon completion of the processing to obtain the normal/abnormal sample sets for target user 110, another user, for example, user 120, could become the next target user for processing, and user 110 then assumes the role of one of the other users relative to new target user 120.
Along this line, it is noted that there are a number of “users” described herein: the “target user”, “other users”, the “plurality of users on the system/application” (which consists of the target user and other users), and the “user” who operates a tool/application that implements the present invention described herein. Although the terms “target user”, “other users”, and “plurality of users” should be clear from the context in this disclosure, to more clearly distinguish the user/operator/administrator who is implementing or controlling an application that implements the methods of the present invention, the term “operator/administrator” will be used herein to describe this user/operator/administrator.
The effectiveness of the approach of the present invention was evaluated on several datasets, and the testing results confirm that in almost all cases the technique performs significantly better than both one-class classification methods and prior two-class classification methods. The method is a general technique that can be used in many security applications.
The present invention focuses on a method of providing abnormal behavior samples for a targeted user for use in developing, for example, an ML classifier for a normal/abnormal behavioral pattern detector for a system or application shared by multiple users. According to the present invention, in such scenarios, a target user'"'"'s normal behavior is learned using training samples of the target user'"'"'s own past behavior samples, whereas the target user'"'"'s possible abnormal behavioral patterns can be learned from other users'"'"' training samples, since the other users expectedly exhibit quite different behavioral patterns from the target user.
Standard anomaly detection techniques, such as statistical analysis or one-class classification, aim to rank new samples based on their similarity to the model of the negative samples, assuming that all previously known samples are negative (benign). Many approaches use distance or density of the points as a measurement for the similarity, in which data points with the lowest density or the longest average distance to the previously known (negative) samples are considered most anomalous.
In contrast and as noted, the approach of the present invention makes no assumption on the underlying data distribution. It assumes that data samples in these applications are generated independently by many users with different underlying distributions. Consider, for example, the case of detecting anomalous user access to a source code repository shared by many employees. In this case, one would expect that users'"'"' access patterns will depend on their role in the organization or project and will, in general, be different from each other. For instance, software developers might be expected to exhibit similar access patterns, e.g., accessing the repository regularly during business hours, and to be significantly different from the access patterns of testers, business managers, backup administrators, etc.
Further, the present inventors assume that, in these multi-user applications, malicious actors often change their behaviors subtly or try to impersonate another person to hide their malicious intention. Thus, an anomalous point of a user'"'"'s behavior can look perfectly normal in the global view, but anomaly detection per user can detect these stealth attacks better than a global anomaly detection. However, while user-specific modeling can produce more accurate detection, the data sparseness problem becomes even worse. In this case, in addition to the lack of anomalous cases, there may not be enough benign cases for some users, such as new users or non active users.
The present invention addresses the lack of labeled samples by exploiting data samples from the other users in the target application. A key intuitive concept underlying the present invention is that, when there are many users, other users'"'"' behavior can provide additional insights on potential anomalies. Thus, it is assumed that a user'"'"'s actions are similar to each other and tend to form a few clusters occupying a small area in the data space. However, when data samples from many users are combined, they provide more accurate projection of the entire data space and help to estimate accurate boundaries between different users.
Thus, a key feature of the present invention is to provide a mechanism to generate anomalous samples automatically from other users'"'"' behaviors. To identify possibly anomalous samples for a target user, the method adopts a common definition of anomaly which considers the data points in low density areas is anomalous. In an exemplary embodiment, all samples of all users in the data set are examined, and samples that are considered different from a target user'"'"'s data samples are identified. The inventors extend the Local Outlier Factor (LOF) processing to estimate the degree of “outlier-ness” with respect to samples of a target user and to select anomalous samples for the target user from other users'"'"' data samples which have high LOF with respect to the target user'"'"'s data samples.
Described herein and exemplarily illustrated at a higher level 200 in
Given this measure of LOF, in non-limiting exemplary embodiments, two exemplary alternative strategies, to be described in more detail, can be used to select abnormal samples for a target user: use the points with the highest LOF, which deviate the most from the target user'"'"'s data points, or use the points with the lowest LOF above a certain threshold, which are just “slightly different” from the target user'"'"'s data. With such or similar reference to the target user'"'"'s own data points, the present invention generates anomalous samples for the target user from other users'"'"' data samples which have high LOF with respect to the target user'"'"'s data samples.
It should be noted that the two alternative methods of using lowest LOF and highest LOF are exemplary only and non-limiting, since it should be clear that middle ranges of LOF could also serve as means to obtain the target user'"'"'s abnormal samples.
Further, a benign sample set (e.g., 208 in
The benign sample set and the anomalous sample set can be provided as output data for consumption as training data 210 (
This method 200 solves limitations of existing methods by reason that there are no assumptions made about the distribution of anomalous samples, no manual labeling is necessary, and it is independent of the underlying learning algorithms.
The target user'"'"'s data points are herein referred to as the “reference points”, and the variation of applying the standard LOF processing on these reference points are referred to as the “reference points-based LOF.
As shown in
Exemplary main differences of the approach of the reference points-based LOF from other density-based anomaly detection methods include:
1. The outlier-ness of a data point with respect to a fixed set of existing data points in the space is measured; and
2. Low density samples are used as anomalous samples to build a binary classifier.
User Data Clusters
As could be surmised from the data shown exemplarily in
The result demonstrated that all samples belonging to a first user have very low LOF scores, while other users'"'"' data points have much higher LOF scores, thereby confirming that the data points belonging to a user are close to each other, while data points from other users are separated. The analysis of this experiment supported the inventors'"'"' hypothesis on exploiting other users'"'"' data points to generate anomalous samples for a target user.
It is noted that, in some cases, when other users'"'"' sample data points overlap the cluster of the target user'"'"'s sample data points, then the reference points-based LOF function will ignore these overlapping data points since they will not be low-density points relative to the target user'"'"'s cluster of points.
Reference Points-Based LOF
In this section, the reference points-based LOF method is more precisely explained. The task is to build for each user an anomaly detection model with both normal and anomalous samples for each target user. In this discussion, because of the absence of labeled anomalous samples, other users'"'"' samples are explored as potential anomalous points for a target user, such that possible anomalous samples for each user are found from the other users'"'"' normal samples. The basic idea is to measure the degree of “outlier-ness” of all the training samples and to identify the data points that deviate from the target user'"'"'s samples.
In density-based anomaly detection, a data point is considered as an outlier if the local density of the point is substantially lower than its neighbors. In this work, we use the Local Outlier Factor (LOF) for local density estimation, where the local area is determined by its k nearest neighbors from the target user is defined by Equation 1:
Where the local reachability distance (LRD) is defined as in Equation 2:
where k-distance(q) be the distance of the point q to its k-th nearest neighbor.
Stated slightly differently, let U be the set of users, D be the set of data points for all the users, Du be the data points of a target user u, and
Thus, in the present invention, the Local Outlier Factor (LOF) is applied for local density estimation. However, the local area of a data point is determined by its k nearest neighbors from the target user samples, unlike the standard LOF where the k nearest neighbors are chosen from the entire set. Hence, the present inventors refer to the method of their invention as the “Reference-points based LOF”.
In an exemplary embodiment, the distance between two data points p and q is computed using a normalized Manhattan distance:
where max(i) and min(i) denote the maximum and minimum value for the i-th features respectively.
It is noted that any distance metric can be used here, and, it is strongly recommended to find the best distance metric for the target data.
Further, alternative to the k-nearest neighbors, one can use the ε-neighborhood as described in the DBSCAN (Density-Based Spatial Clustering of Applications with Noise) clustering algorithm. In this case, the degree of outlier-ness of a sample p can be computed as the average distance to the data points in its directly reachable neighbors. It is noted that DBSCAN is one of the most common clustering algorithms and often cited in scientific literature. It is a density-based data clustering algorithm: given a set of points in some space, it groups together points that are closely packed together (i.e., points with many nearby neighbors), and considers as outliers those points that lie alone in low-density regions (i.e., whose nearest neighbors are too far away).
Normal/Abnormal Behavior Detection
In this section, several non-limiting, exemplary strategies are explored for generating a labeled training set based on the reference points-based LOF described above. The following sections describe possible strategies for choosing normal samples and anomalous samples, respectively. Note that the algorithm above computes the LOF scores for all data points including both the target user'"'"'s data points and other users'"'"' data points. The LOF scores are used to select both normal and abnormal samples to train a two-class classification model for each user.
Normal Sample Selection Stage
The present invention envisions two methods, shown on the left side of
As shown in step 602, the operator/administrator will provide inputs to select the method (either “SELF” or “LowLOF”) for processing the target user'"'"'s normal sample set and threshold information if the outliers are to be extracted from the target user'"'"'s data. In step 604 the target user'"'"'s sample data is accessed. Based on the method selection, on the two following mechanisms will then be executed.
1. All Self Samples (SELF): This method 606 uses all the samples from the target user during the training period as normal samples, similarly to conventional unsupervised anomaly detection or the conventional one-class classification approach. Step 604 shows this first alternative.
2. No Outlier Samples (LowLOF): In this method 608, LOF values are computed for the target user'"'"'s own samples as well. The data points with relatively high LOF scores are outliers in the target user'"'"'s samples. These outlier samples from the target user'"'"'s own sample set are discarded and the remaining samples are used as normal samples for training. This strategy can be used to handle noisy data.
In this LowLOF processing 608, the threshold value is used in the LOF processing of the target user'"'"'s samples to determine outlier points in the target user'"'"'s sample data, so that the outlier point can be discarded. In step 610, the selected processing result is provided as output for the target user'"'"'s sample set.
Although the above description implies an operator/administrator, it is noted that the processing of this tool could be automated to occur periodically, and some values could be default values and/or updated over time, including possibly updating using a feedback mechanism.
Abnormal Sample Selection Stage
For anomalous training sample generation, as shown on the right side of
First, in step 620, the operator/administrator inputs provide desired method selection, threshold information to use in determining a boundary for outliers and inliers, and desired total number of anomalous samples N for the target user. Again, as noted above in the discussion of the normal sample selection, it is possible to implement the present invention so that the processing could be automatically invoked without involvement by an actual human operator/administrator, and some of the entries could be preset or default values, or could be automatically updated over time.
An optimal threshold value could be determined empirically for the given data set. A basic guideline is that the threshold value needs to separate most of the target user'"'"'s samples from the rest of the data points. Various methods for determining a threshold can be used. A simple way to set the threshold is to use a predetermined LOF value, but this method is not optimal because different data sets may need a different LOF value. Alternatively, we can find a threshold value automatically from the data. For instance, we can choose an LOF value as the threshold, in which the LOF values of 95% of the target user'"'"'s data points stay below the threshold. In yet another embodiment, we can display the LOF values for the target user'"'"'s samples and those of other users'"'"' samples, and let the user choose an optimal threshold value.
All the samples from other users that have LOF higher than the threshold are considered as potential anomalous samples for the target user. The invention describes four different strategies for selecting anomalous samples from the potential anomalous samples for the target user. First, we can choose Low LOF samples from all of the potential anomalous samples. Second, we can choose High LOF samples from all of the potential anomalous samples. It is noted that it is desirable to generate anomalous samples from each of the other users for the target user in many situations. Suppose we want to select N anomalous samples, and there are m other users, we would preferably generate approximately N/m samples from each user. By choosing samples from as many other users as possible, we ensure the anomalous sample set represents a diverse set of abnormal situations. We can then apply both the Low LOF sampling and High LOF sampling for each of the users. In other words, we select N/m samples with lowest or highest LOF values from each of the users from the potential anomalous samples respectively. In step 622, sample data for the other users is accessed, to be processed in accordance with the selected method.
For anomalous training sample generation, the following four alternative strategies 624, 626, 628, 630 are suggested as possible exemplary strategies to be applied to extract anomalous samples for the target user. These strategies aim to find other users'"'"' samples that are outside of the target user'"'"'s samples, i.e., outliers from the perspective of the target user. User input 620 provides instructions to select one of the four alternative processings 624-630 and step 632 provides the results of the selected processing as output data for the target user'"'"'s abnormal data sample set.
1. Boundary Sampling (LowLOFAll): Out of all other users'"'"' samples that have LOF higher than a threshold, the samples with lowest LOF scores are chosen. This method 624 finds anomalous samples that are located close to the boundaries. These samples would have higher LOF scores than most of the target user'"'"'s samples, but have lower LOF scores than most of the other users'"'"' samples.
2. Boundary Sampling Per User (LowLOFUser): This method 626 is also intended to choose boundary samples. However, this method 626 selects low LOF samples from each of the other users. If we want to generate N anomalous samples, and there are m other users, we generate approximately N/m samples from each user.
3. Outlier Sampling (HighLOFAll): This method 628 generates anomalous samples which deviate most from the target users'"'"' samples, i.e., samples with highest LOF scores from the sample set from all the other users as in LowLOFAll.
4. Outlier Sampling per User (HighLOFUser): This method 630 is similar to LowLOFUser. The difference is that it chooses samples with highest LOF scores from each of the other users.
It is noted that the algorithm chooses anomalous samples which have an LOF score higher than a threshold to exclude other users'"'"' samples that are inside of or too close to the target user'"'"'s region. Further, the LowLOF method for generating normal samples can also discard a few normal samples. Thus, for very small data sets like the Typist data set, the algorithm can generate a smaller number of samples than requested.
Training Sample Generation
By combining the two methods for normal sample generation (left side of
Moreover, suppose that it is desired to include nine anomalous samples in the training data set. Accordingly,
Further, we can extend these anomalous sample methods to apply ensemble methods, in which multiple anomaly detection methods are built based on a different training set. We can generate different training sets using different subsets of other users. When we have m other users, we can divide the m users into k subgroups of users, U1, . . . , Uk. Then, we apply one of the four strategies to each of the subgroups, and produce k different training sets comprising both normal samples and anomalous samples. Note that the k training sets contain the same normal samples but different anomalous samples. We then build k different models for the target user, and anomaly detection can be carried out by running the k models and by aggregating their results.
Although the present invention is directed more to the reference-points-LOF-based mechanism of determining anomalous and normal sample sets, this section describes how this mechanism can be utilized in various application environments and can be evaluated. Having both normal and anomalous samples in the training data allows the anomaly detection task to be cast as a two-class classification problem, so that a classifier can be learned that can discriminate the abnormal samples from the normal samples. Any classification algorithm can be applied and may be chosen based on the application.
To evaluate the present invention, classification algorithms were used that produce the class probability as an output, rather than a binary decision. The advantage of having class probability estimation over a binary decision of normal versus abnormal is that the system administrators can adjust the ratio of alarms according to available resources and costs. In this evaluation, experiments were conducted with three classification algorithms: Decision Tree, Logistic Regression, and Random Forest, and the sampling methods of the present invention were evaluated with three publicly available data sets and one private data set from information security application: Keystroke Dynamics Benchmark Data; Typist Recognition Data; DBLP Collaboration Network Data; and Access Log Data.
The Keystroke Dynamics Benchmark Data is a data set of keystroke data collected from 51 users typing the same strong password 400 times, broken into eight equal-length sessions. Various timing features were measured such as the length of time between each keystroke, and the time each key was depressed. The Typist Recognition Data is a data set of typing patterns of ten different users as used to build a classifier to identify individual typists. The typing pattern are represented by eight features such as typing speed and error rate (backspace). The typing behavior of the users is broken into units, approximately one paragraph'"'"'s worth of typing. Each user contains between 24 and 75 records with an average of 53.3.
The DBLP Collaboration Network Data is a large database of publications from computer science journals, conferences, and workshops. The present invention was tested by using it to build models to learn what a “normal” paper title is for an author.
The Access Log Data is an access log data set that comes from a source code repository used in a large IT company. The logs were collected over 5 years and consist of 2,623 unique users, 298,365 unique directories, 1,162,259 unique files, and 68,736,222 total accesses. Each log contains a timestamp, a user ID, a resource name, and the action performed on the resource. These logs were processed down to individual periods per user which represent the user'"'"'s behavior in a given week. The features include the number of total accesses, the number of unique accesses in that period, new unique accesses given a user'"'"'s history, counts for the actions performed, counts for the file extensions accessed, and similarity scores to the target user. The similarity scores represent how similar a user is to the other users given the user'"'"'s current access pattern and the other users'"'"' past access patterns.
While it can be assumed that most of a target user'"'"'s activity is benign, it would be desirable to prevent training data from containing samples of malicious behavior to be detected. For example, if the target user'"'"'s account is compromised by an adversary, the classifier should not have been trained on the activity of the adversary. For this reason, ac classifier can be trained and tested on different user groups. For each target user, a K-fold cross validation can be performed by dividing the user population into K disjoint sets of training and testing user groups.
For example, suppose there are three users U 1, U 2 and U 3, and U 1 is the target user. A classifier is trained on U 1 and U 2 and tested on U 1 and U 3. A second classifier is trained on U 1 and U 3 and tested on U 1 and U 2. The user actions are also split into training and testing samples using a pivot point in time when applicable, that is, all training actions occur strictly prior to all testing actions. We choose anomalous samples only from the training user group and measure the performance on the evaluation user group. The training user group and the evaluation user group for each fold are mutually exclusive, so no evaluation user is seen during training. To ease comparison with some prior work, we evaluate the performance of a two-class classifier versus a one-class classifier for detecting changes in user behavior. Further, for all experiments, we report the average results over the cross-validation splits and compare the algorithms based on AUC (Area Under Curve), as it is the metric used in all previous work.
The evaluation results showed that the present invention provides uniformly better results compared to the one class classifier approach and the approach of providing synthetically constructed distributions of abnormal samples for training.
As initially developed, the prototype embodiment of the present invention was intended to be an application-type program selectively executable on a server 902 or gateway that serves as a portal to a protected site or network 904 associated with the shared system/application. If the protection is for an application available to different users then server 902 might store the application, which is then accessed by the various users 904. Since the invention serves a monitoring purpose, it might be preferable to at least periodically execute the process described in
Computer 902 is also shown as associated with a database 908 for storing sample data on the system or application users 904, as well as data from previous periodic executions. Such data would permit the system to evaluate longer periods of time, using stored data of from previous cycles as well as the data from the current execution period.
In a variation, the tooling of the present invention could be installed on a single computer 910 and providing monitoring for that computer alone, with computer 910 possibly having a memory device 912 for storage of monitoring history and/or current processing data concerning different users.
In yet another alternative, computer 916 could be configured to download the anomaly detection development tool to remote computer 914 via a network, either by request or via an automatic, periodic downloading mechanism, in order to permit remote computer 914 to itself execute the anomaly detection tool. Typically, as a servicing tool for client users, the anomaly detection tool would be configured for a single execution by the remote computer 914 and would not remain resident in the remote computer 914. Other safeguards to preclude the anomaly detection development tool to be transferred to another computer without authorization could also be implemented.
Exemplary Hardware Aspects, Using a Cloud Computing Environment
It is understood in advance that, although this section of the disclosure provides a detailed description on cloud computing, implementation of the teachings recited herein are not limited to a cloud computing environment. Rather, embodiments of the present invention are capable of being implemented in conjunction with any other types of computing environment now known or later developed.
Cloud computing is a model of service delivery for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines, and services) that can be rapidly provisioned and released with minimal management effort or interaction with a provider of the service. This cloud model may include at least five characteristics, at least three service models, and at least four deployment models.
Characteristics are as follows:
On-demand self-service: a cloud consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with the service'"'"'s provider.
Broad network access: capabilities are available over a network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
Resource pooling: the provider'"'"'s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. There is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter).
Rapid elasticity: capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
Measured service: cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
Service Models are as follows:
Software as a Service (SaaS): the capability provided to the consumer is to use the provider'"'"'s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Platform as a Service (PaaS): the capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
Infrastructure as a Service (IaaS): the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
Deployment Models are as follows:
Private cloud: the cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on-premises or off-premises.
Community cloud: the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on-premises or off-premises.
Public cloud: the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Hybrid cloud: the cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
A cloud computing environment is service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability. At the heart of cloud computing is an infrastructure comprising a network of interconnected nodes.
Referring now to
In cloud computing node 1000 there is a computer system/server 1012, which is operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments, and/or configurations that may be suitable for use with computer system/server 1012 include, but are not limited to, personal computer systems, server computer systems, thin clients, thick clients, handheld or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputer systems, mainframe computer systems, and distributed cloud computing environments that include any of the above systems or devices, and the like.
Computer system/server 1012 may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, and so on that perform particular tasks or implement particular abstract data types. Computer system/server 1012 may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.
As shown in
Bus 1018 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Computer system/server 1012 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 1012, and it includes both volatile and non-volatile media, removable and non-removable media.
System memory 1028 can include computer system readable media in the form of volatile memory, such as random access memory (RAM) 1030 and/or cache memory 1032. Computer system/server 1012 may further include other removable/non-removable, volatile/non-volatile computer system storage media. By way of example only, storage system 1034 can be provided for reading from and writing to a non-removable, non-volatile magnetic media (not shown and typically called a “hard drive”). Although not shown, a magnetic disk drive for reading from and writing to a removable, non-volatile magnetic disk (e.g., a “floppy disk”), and an optical disk drive for reading from or writing to a removable, non-volatile optical disk such as a CD-ROM, DVD-ROM or other optical media can be provided. In such instances, each can be connected to bus 1018 by one or more data media interfaces. As will be further depicted and described below, memory 1028 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
Program/utility 1040, having a set (at least one) of program modules 1042, may be stored in memory 1028 by way of example, and not limitation, as well as an operating system, one or more application programs, other program modules, and program data. Each of the operating system, one or more application programs, other program modules, and program data or some combination thereof, may include an implementation of a networking environment. Program modules 1042 generally carry out the functions and/or methodologies of embodiments of the invention as described herein.
Computer system/server 1012 may also communicate with one or more external devices 1014 such as a keyboard, a pointing device, a display 1024, etc.; one or more devices that enable a user to interact with computer system/server 1012; and/or any devices (e.g., network card, modem, etc.) that enable computer system/server 1012 to communicate with one or more other computing devices. Such communication can occur via Input/Output (I/O) interfaces 1022. Still yet, computer system/server 1012 can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter 1020. As depicted, network adapter 1020 communicates with the other components of computer system/server 1012 via bus 1018. It should be understood that although not shown, other hardware and/or software components could be used in conjunction with computer system/server 1012. Examples, include, but are not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data archival storage systems, etc.
Referring now to
Referring now to
Hardware and software layer 1200 includes hardware and software components. Examples of hardware components include mainframes, in one example IBM® zSeries® systems; RISC (Reduced Instruction Set Computer) architecture based servers, in one example IBM pSeries® systems; IBM xSeries® systems; IBM BladeCenter® systems; storage devices; networks and networking components. Examples of software components include network application server software, in one example IBM WebSphere® application server software; and database software, in one example IBM DB2® database software. (IBM, zSeries, pSeries, xSeries, BladeCenter, WebSphere, and DB2 are trademarks of International Business Machines Corporation registered in many jurisdictions worldwide). The tooling that implements the present invention would be located in layer 1200.
Virtualization layer 1220 provides an abstraction layer from which the following examples of virtual entities may be provided: virtual servers; virtual storage; virtual networks, including virtual private networks; virtual applications and operating systems; and virtual clients. The virtual machines and network appliances that are generated and instantiated by the tooling of the present invention would operate on layer 1220.
In one example, management layer 1230 may provide the functions described below. Resource provisioning provides dynamic procurement of computing resources and other resources that are utilized to perform tasks within the cloud computing environment. Metering and Pricing provide cost tracking as resources are utilized within the cloud computing environment, and billing or invoicing for consumption of these resources. In one example, these resources may comprise application software licenses. Security provides identity verification for cloud consumers and tasks, as well as protection for data and other resources. User portal provides access to the cloud computing environment for consumers and system administrators. Service level management provides cloud computing resource allocation and management such that required service levels are met. Service Level Agreement (SLA) planning and fulfillment module provides pre-arrangement for, and procurement of, cloud computing resources for which a future requirement is anticipated in accordance with an SLA.
Workloads layer 1240 provides examples of functionality for which the cloud computing environment may be utilized. Examples of workloads and functions which may be provided from this layer might include any number of functions and applications not even related to the present invention, such as mapping and navigation; software development and lifecycle management; virtual classroom education delivery; data analytics processing; transaction processing; and, more particularly relative to the present invention, the normal/abnormal sample set modules 600 exemplarily shown functionally in
The descriptions of the various embodiments of the present invention have been presented for purposes of illustration, but are not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles of the embodiments, the practical application or technical improvement over technologies found in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.