{"title":"Using Consensus Clustering for Multi-view Anomaly Detection","authors":"Alexander Y. Liu, D. Lam","doi":"10.1109/SPW.2012.18","DOIUrl":null,"url":null,"abstract":"This paper presents work on automatically characterizing typical user activities across multiple sources (or views) of data, as well as finding anomalous users who engage in unusual combinations of activities across different views of data. This approach can be used to detect malicious insiders who may abuse their privileged access to systems in order to accomplish goals that are detrimental to the organizations that grant those privileges. To avoid detection, these malicious insiders want to appear as normal as possible with respect to the activities of other users with similar privileges and tasks. Therefore, given a single type or view of audit data, the activities of the malicious insider may appear normal. An anomaly may only be apparent when analyzing multiple sources of data. We propose and test domain-independent methods that combine consensus clustering and anomaly detection techniques. We benchmark the efficacy of these methods on simulated insider threat data. Experimental results show that combining anomaly detection and consensus clustering produces more accurate results than sequentially performing the two tasks independently.","PeriodicalId":201519,"journal":{"name":"2012 IEEE Symposium on Security and Privacy Workshops","volume":"220 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-05-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"30","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 IEEE Symposium on Security and Privacy Workshops","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SPW.2012.18","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 30
Abstract
This paper presents work on automatically characterizing typical user activities across multiple sources (or views) of data, as well as finding anomalous users who engage in unusual combinations of activities across different views of data. This approach can be used to detect malicious insiders who may abuse their privileged access to systems in order to accomplish goals that are detrimental to the organizations that grant those privileges. To avoid detection, these malicious insiders want to appear as normal as possible with respect to the activities of other users with similar privileges and tasks. Therefore, given a single type or view of audit data, the activities of the malicious insider may appear normal. An anomaly may only be apparent when analyzing multiple sources of data. We propose and test domain-independent methods that combine consensus clustering and anomaly detection techniques. We benchmark the efficacy of these methods on simulated insider threat data. Experimental results show that combining anomaly detection and consensus clustering produces more accurate results than sequentially performing the two tasks independently.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
