Efficient discovery of abnormal event sequences in enterprise security systems

Boxiang Dong, Zhengzhang Chen, Hui Wang, Lu An Tang, Kai Zhang, Ying Lin, Zhichun Li, Haifeng Chen

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

6 Citations (Scopus)

Abstract

Intrusion detection system (IDS) is an important part of enterprise security system architecture. In particular, anomaly-based IDS has been widely applied to detect single abnormal process events that deviate from the majority. However, intrusion activity usually consists of a series of low-level heterogeneous events. The gap between low-level process events and high-level intrusion activities makes it particularly challenging to identify process events that are truly involved in a real malicious activity, and especially considering the massive "noisy" events filling the event sequences. Hence, the existing work that focus on detecting single events can hardly achieve high detection accuracy. In this work, we formulate a novel problem in intrusion detection - suspicious event sequence discovery, and propose GID, an efficient graph-based intrusion detection technique that can identify abnormal event sequences from massive heterogeneous process traces with high accuracy. We fully implement GID and deploy it into a real-world enterprise security system, and it greatly helps detect the advanced threats and optimize the incident response. Executing GID on both static and streaming data shows that GID is efficient (processes about 2 million records per minute) and accurate for intrusion detection.

Original languageEnglish
Title of host publicationCIKM 2017 - Proceedings of the 2017 ACM Conference on Information and Knowledge Management
PublisherAssociation for Computing Machinery
Pages707-715
Number of pages9
ISBN (Electronic)9781450349185
DOIs
StatePublished - 6 Nov 2017
Event26th ACM International Conference on Information and Knowledge Management, CIKM 2017 - Singapore, Singapore
Duration: 6 Nov 201710 Nov 2017

Publication series

NameInternational Conference on Information and Knowledge Management, Proceedings
VolumePart F131841

Other

Other26th ACM International Conference on Information and Knowledge Management, CIKM 2017
CountrySingapore
CitySingapore
Period6/11/1710/11/17

Fingerprint

Intrusion detection
Intrusion detection system
Incidents
Graph
System architecture
Real activity
Threat
Anomaly

Cite this

Dong, B., Chen, Z., Wang, H., Tang, L. A., Zhang, K., Lin, Y., ... Chen, H. (2017). Efficient discovery of abnormal event sequences in enterprise security systems. In CIKM 2017 - Proceedings of the 2017 ACM Conference on Information and Knowledge Management (pp. 707-715). (International Conference on Information and Knowledge Management, Proceedings; Vol. Part F131841). Association for Computing Machinery. https://doi.org/10.1145/3132847.3132854
Dong, Boxiang ; Chen, Zhengzhang ; Wang, Hui ; Tang, Lu An ; Zhang, Kai ; Lin, Ying ; Li, Zhichun ; Chen, Haifeng. / Efficient discovery of abnormal event sequences in enterprise security systems. CIKM 2017 - Proceedings of the 2017 ACM Conference on Information and Knowledge Management. Association for Computing Machinery, 2017. pp. 707-715 (International Conference on Information and Knowledge Management, Proceedings).
@inproceedings{3efe847a2b594a6bbaa53f50c484414f,
title = "Efficient discovery of abnormal event sequences in enterprise security systems",
abstract = "Intrusion detection system (IDS) is an important part of enterprise security system architecture. In particular, anomaly-based IDS has been widely applied to detect single abnormal process events that deviate from the majority. However, intrusion activity usually consists of a series of low-level heterogeneous events. The gap between low-level process events and high-level intrusion activities makes it particularly challenging to identify process events that are truly involved in a real malicious activity, and especially considering the massive {"}noisy{"} events filling the event sequences. Hence, the existing work that focus on detecting single events can hardly achieve high detection accuracy. In this work, we formulate a novel problem in intrusion detection - suspicious event sequence discovery, and propose GID, an efficient graph-based intrusion detection technique that can identify abnormal event sequences from massive heterogeneous process traces with high accuracy. We fully implement GID and deploy it into a real-world enterprise security system, and it greatly helps detect the advanced threats and optimize the incident response. Executing GID on both static and streaming data shows that GID is efficient (processes about 2 million records per minute) and accurate for intrusion detection.",
author = "Boxiang Dong and Zhengzhang Chen and Hui Wang and Tang, {Lu An} and Kai Zhang and Ying Lin and Zhichun Li and Haifeng Chen",
year = "2017",
month = "11",
day = "6",
doi = "10.1145/3132847.3132854",
language = "English",
series = "International Conference on Information and Knowledge Management, Proceedings",
publisher = "Association for Computing Machinery",
pages = "707--715",
booktitle = "CIKM 2017 - Proceedings of the 2017 ACM Conference on Information and Knowledge Management",

}

Dong, B, Chen, Z, Wang, H, Tang, LA, Zhang, K, Lin, Y, Li, Z & Chen, H 2017, Efficient discovery of abnormal event sequences in enterprise security systems. in CIKM 2017 - Proceedings of the 2017 ACM Conference on Information and Knowledge Management. International Conference on Information and Knowledge Management, Proceedings, vol. Part F131841, Association for Computing Machinery, pp. 707-715, 26th ACM International Conference on Information and Knowledge Management, CIKM 2017, Singapore, Singapore, 6/11/17. https://doi.org/10.1145/3132847.3132854

Efficient discovery of abnormal event sequences in enterprise security systems. / Dong, Boxiang; Chen, Zhengzhang; Wang, Hui; Tang, Lu An; Zhang, Kai; Lin, Ying; Li, Zhichun; Chen, Haifeng.

CIKM 2017 - Proceedings of the 2017 ACM Conference on Information and Knowledge Management. Association for Computing Machinery, 2017. p. 707-715 (International Conference on Information and Knowledge Management, Proceedings; Vol. Part F131841).

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

TY - GEN

T1 - Efficient discovery of abnormal event sequences in enterprise security systems

AU - Dong, Boxiang

AU - Chen, Zhengzhang

AU - Wang, Hui

AU - Tang, Lu An

AU - Zhang, Kai

AU - Lin, Ying

AU - Li, Zhichun

AU - Chen, Haifeng

PY - 2017/11/6

Y1 - 2017/11/6

N2 - Intrusion detection system (IDS) is an important part of enterprise security system architecture. In particular, anomaly-based IDS has been widely applied to detect single abnormal process events that deviate from the majority. However, intrusion activity usually consists of a series of low-level heterogeneous events. The gap between low-level process events and high-level intrusion activities makes it particularly challenging to identify process events that are truly involved in a real malicious activity, and especially considering the massive "noisy" events filling the event sequences. Hence, the existing work that focus on detecting single events can hardly achieve high detection accuracy. In this work, we formulate a novel problem in intrusion detection - suspicious event sequence discovery, and propose GID, an efficient graph-based intrusion detection technique that can identify abnormal event sequences from massive heterogeneous process traces with high accuracy. We fully implement GID and deploy it into a real-world enterprise security system, and it greatly helps detect the advanced threats and optimize the incident response. Executing GID on both static and streaming data shows that GID is efficient (processes about 2 million records per minute) and accurate for intrusion detection.

AB - Intrusion detection system (IDS) is an important part of enterprise security system architecture. In particular, anomaly-based IDS has been widely applied to detect single abnormal process events that deviate from the majority. However, intrusion activity usually consists of a series of low-level heterogeneous events. The gap between low-level process events and high-level intrusion activities makes it particularly challenging to identify process events that are truly involved in a real malicious activity, and especially considering the massive "noisy" events filling the event sequences. Hence, the existing work that focus on detecting single events can hardly achieve high detection accuracy. In this work, we formulate a novel problem in intrusion detection - suspicious event sequence discovery, and propose GID, an efficient graph-based intrusion detection technique that can identify abnormal event sequences from massive heterogeneous process traces with high accuracy. We fully implement GID and deploy it into a real-world enterprise security system, and it greatly helps detect the advanced threats and optimize the incident response. Executing GID on both static and streaming data shows that GID is efficient (processes about 2 million records per minute) and accurate for intrusion detection.

UR - http://www.scopus.com/inward/record.url?scp=85037353127&partnerID=8YFLogxK

U2 - 10.1145/3132847.3132854

DO - 10.1145/3132847.3132854

M3 - Conference contribution

T3 - International Conference on Information and Knowledge Management, Proceedings

SP - 707

EP - 715

BT - CIKM 2017 - Proceedings of the 2017 ACM Conference on Information and Knowledge Management

PB - Association for Computing Machinery

ER -

Dong B, Chen Z, Wang H, Tang LA, Zhang K, Lin Y et al. Efficient discovery of abnormal event sequences in enterprise security systems. In CIKM 2017 - Proceedings of the 2017 ACM Conference on Information and Knowledge Management. Association for Computing Machinery. 2017. p. 707-715. (International Conference on Information and Knowledge Management, Proceedings). https://doi.org/10.1145/3132847.3132854