André L. B. Molina, Vinícius P. Gonçalves, Rafael Timóteo de Sousa, Marcel Pividal, R. Meneguette, G. P. R. Filho
{"title":"A Lightweight Unsupervised Learning Architecture to Enhance User Behavior Anomaly Detection","authors":"André L. B. Molina, Vinícius P. Gonçalves, Rafael Timóteo de Sousa, Marcel Pividal, R. Meneguette, G. P. R. Filho","doi":"10.1109/LATINCOM56090.2022.10000477","DOIUrl":null,"url":null,"abstract":"In recent years, user behavior anomaly detection has been gaining attention in cybersecurity. A crucial challenge that has been discussed in the literature is that supervised models that use vast amounts of data for training do not apply to real scenarios for anomaly detection. Within this context, the requirement to gather datasets with labeled behavior anomalies has proven to be a significant limiting factor for evaluating different models. This paper presents WEAPON, an unsupervised learning-based architecture for user behavior anomaly detection that requires a small amount of data for building behavior profiles considering the individuality of each user. WEAPON implements the weak supervision-based behavior anomaly labeling approach using Snorkel. When compared to other approaches, WEAPON proved to be more efficient, surpassing the ROC curve of the second best model by 4.31%. Furthermore, WEAPON outperforms rule-based methods by finding anomalies that an expert would not anticipate.","PeriodicalId":221354,"journal":{"name":"2022 IEEE Latin-American Conference on Communications (LATINCOM)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Latin-American Conference on Communications (LATINCOM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/LATINCOM56090.2022.10000477","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
In recent years, user behavior anomaly detection has been gaining attention in cybersecurity. A crucial challenge that has been discussed in the literature is that supervised models that use vast amounts of data for training do not apply to real scenarios for anomaly detection. Within this context, the requirement to gather datasets with labeled behavior anomalies has proven to be a significant limiting factor for evaluating different models. This paper presents WEAPON, an unsupervised learning-based architecture for user behavior anomaly detection that requires a small amount of data for building behavior profiles considering the individuality of each user. WEAPON implements the weak supervision-based behavior anomaly labeling approach using Snorkel. When compared to other approaches, WEAPON proved to be more efficient, surpassing the ROC curve of the second best model by 4.31%. Furthermore, WEAPON outperforms rule-based methods by finding anomalies that an expert would not anticipate.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
