Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Preprint |
| Published: |
2024
|
| Subjects: | |
| Online Access: | https://arxiv.org/abs/2403.10327 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1866909137981407232 |
|---|---|
| author | Kayhan, Varol Shivendu, Shivendu Behnia, Rouzbeh Daniel, Clinton Agrawal, Manish |
| author_facet | Kayhan, Varol Shivendu, Shivendu Behnia, Rouzbeh Daniel, Clinton Agrawal, Manish |
| contents | Threat hunting is sifting through system logs to detect malicious activities that might have bypassed existing security measures. It can be performed in several ways, one of which is based on detecting anomalies. We propose an unsupervised framework, called continuous bag-of-terms-and-time (CBoTT), and publish its application programming interface (API) to help researchers and cybersecurity analysts perform anomaly-based threat hunting among SIEM logs geared toward process auditing on endpoint devices. Analyses show that our framework consistently outperforms benchmark approaches. When logs are sorted by likelihood of being an anomaly (from most likely to least), our approach identifies anomalies at higher percentiles (between 1.82-6.46) while benchmark approaches identify the same anomalies at lower percentiles (between 3.25-80.92). This framework can be used by other researchers to conduct benchmark analyses and cybersecurity analysts to find anomalies in SIEM logs. |
| format | Preprint |
| id |
arxiv_https___arxiv_org_abs_2403_10327 |
| institution | arXiv |
| publishDate | 2024 |
| record_format | arxiv |
| spellingShingle | Unsupervised Threat Hunting using Continuous Bag-of-Terms-and-Time (CBoTT) Kayhan, Varol Shivendu, Shivendu Behnia, Rouzbeh Daniel, Clinton Agrawal, Manish Cryptography and Security Artificial Intelligence Threat hunting is sifting through system logs to detect malicious activities that might have bypassed existing security measures. It can be performed in several ways, one of which is based on detecting anomalies. We propose an unsupervised framework, called continuous bag-of-terms-and-time (CBoTT), and publish its application programming interface (API) to help researchers and cybersecurity analysts perform anomaly-based threat hunting among SIEM logs geared toward process auditing on endpoint devices. Analyses show that our framework consistently outperforms benchmark approaches. When logs are sorted by likelihood of being an anomaly (from most likely to least), our approach identifies anomalies at higher percentiles (between 1.82-6.46) while benchmark approaches identify the same anomalies at lower percentiles (between 3.25-80.92). This framework can be used by other researchers to conduct benchmark analyses and cybersecurity analysts to find anomalies in SIEM logs. |
| title | Unsupervised Threat Hunting using Continuous Bag-of-Terms-and-Time (CBoTT) |
| topic | Cryptography and Security Artificial Intelligence |
| url | https://arxiv.org/abs/2403.10327 |