Anomaly Detection in Key-Management Activities Using Metadata: A Case Study and Framework

Abstract

Large scale enterprise networks often use Enterprise Key-Management (EKM) platforms for unified management of cryptographic keys. Monitoring access and usage patterns of EKM Systems (EKMS) may enable detection of anomalous (possibly malicious) activity in the enterprise network that is not detectable by other means. Analysis of enterprise system logs has been widely studied (for example at the operating system level). However, to the best of our knowledge, EKMS metadata has not been used for anomaly detection. In this article we present a framework for anomaly detection based on EKMS metadata. The framework involves automated outlier rejection, normal heuristics collection, automated anomaly detection, and system notification and integration with other security tools. This is developed through investigation of EKMS metadata, determining characteristics to extract for dataset generation, and looking for patterns from which behaviors can be inferred. For automated labeling and detection, a deep learning-based model is applied to the generated datasets: Long Short-Term Memory (LSTM) auto-encoder neural networks with specific parameters. This generates heuristics based on categories of behavior. As a proof of concept, we simulated an enterprise environment, collected the EKMS metadata, and deployed this framework. Our implementation used QuintessenceLabs EKMS. However, the framework is vendor neutral. The results demonstrate that our framework can accurately detect all anomalous enterprise network activities. This approach could be integrated with other enterprise information to enhance detection capabilities. Further, our proposal can be used as a general-purpose framework for anomaly detection and diagnosis.