Abstract
We propose a framework for anomaly detection in communication network logs along with automated extraction of human-readable annotations that explain the decision logic underlying each anomaly detection. For this purpose, we develop a machine learning methodology formulated in terms of a model comprised of an OR-combination of multiple Boolean logic based sentences. Each sentence is an empirically learned set of inequality conditions involving subsets of features. The feature set, which comprises the “alphabet” for human-readable annotations, is constructed using dynamic graph based spatio-temporal aggregation to extract human-understandable aggregates of network activity. These aggregates are constructed both in terms of computers (nodes in dynamic graph) and communications between computers (edges in dynamic graph). From the alphabet, the learned model identifies subsets of features that relate to each anomaly type and the combinations of conditions in terms of the feature subsets for detection of the specific anomaly type. Given a data point that the learned model detects as anomalous, the model identifies the specific features and their combinations related to the anomaly detection. These human-readable annotations provide a cyber-security analyst a transparent view into the decision logic underlying an anomaly detection.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IEEE Transactions on Network and Service Management
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
