Cyber threat detection: Unsupervised hunting of anomalous commands (UHAC)

Abstract

The cyber security industry is rapidly adopting threat hunting as a proactive tool for early and faster detection of suspected malicious actors. In this paper, we propose a machine learning-based method, Unsupervised Hunting of Anomalous Commands (UHAC), to detect text-based anomalous commands in security information and event management (SIEM) logs that are good candidates for threat hunting. A unique feature of the proposed method is that it first creates a feature set based on the augmentation of document-term and document-character matrices. Then, an autoencoder-based detector is trained on this feature set using a custom loss function. UHAC consistently outperforms other feature sets and algorithms such as one-class support vector machine, density-based spatial clustering of applications with noise, and word-embedding based models such as word2vec. The UHAC detector identifies 84–89% of anomalies in the top 10% of the data. Findings have implications for cybersecurity analysts who perform threat hunting in SIEM logs for process auditing on endpoint devices.