Wrongdoing Monitor: A Graph-Based Behavioral Anomaly Detection in Cyber Security

Abstract

The so-called <i>behavioral anomaly detection</i> (BAD) is expected to solve effectively a variety of security issues by detecting the deviances from normal behavioral patterns of protected agents. We propose a new graph-based behavioral modeling paradigm for BAD problem, named <i>behavioral identification graph</i> (BIG), which has distinct advantages over existing methods by mining deeply the <i>property-level</i> (as an enhancement to the <i>event-level</i>) associations in behavioral data. Under BIG, the behavioral properties and their co-occurrence associations in behavioral data are modeled as the entities and relationships of graph, respectively; furthermore, behavioral properties and events are both vectorized by a devised event-property composite model, and the behavioral patterns of agents are finally represented as a multidimensional spatial distribution of behavioral properties. Consequently, for a behavior, the intensity of its behavioral anomaly can be transformed into the spatial decentrality of its behavioral agent and properties which contain both fine-grained information between behavioral properties and coarse-grained information between behavioral events. To the best of our knowledge, this is the first work to improve behavioral modeling for anomaly detection by integrating <i>inter</i> (event-level) and <i>intra</i> (property-level) associations of behaviors into a unified graph and space. Our method is validated by four representative security issues, i.e., <i>fraud detection</i> in online payment services (by transaction behaviors), <i>intrusion detection</i> in network communication services (by traffic behaviors), <i>insider threat detection</i> in organizational information systems (by system behaviors), and <i>compromise detection</i> in social networking services (by trajectory behaviors).