Abstract
The cyber security industry is rapidly adopting threat hunting as a proactive tool for early and faster detection of suspected malicious actors. In this paper, we propose a machine learning-based method, Unsupervised Hunting of Anomalous Commands (UHAC), to detect text-based anomalous commands in security information and event management (SIEM) logs that are good candidates for threat hunting. A unique feature of the proposed method is that it first creates a feature set based on the augmentation of document-term and document-character matrices. Then, an autoencoder-based detector is trained on this feature set using a custom loss function. UHAC consistently outperforms other feature sets and algorithms such as one-class support vector machine, density-based spatial clustering of applications with noise, and word-embedding based models such as word2vec. The UHAC detector identifies 84–89% of anomalies in the top 10% of the data. Findings have implications for cybersecurity analysts who perform threat hunting in SIEM logs for process auditing on endpoint devices.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
