Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer Based Model: A Case Study with BETH Dataset

Bishal Lakha; Sara Lilly Mount; Edoardo Serra; Alfredo Cuzzocrea

doi:10.1109/BigData55660.2022.10020336

Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer Based Model: A Case Study with BETH Dataset

Bishal Lakha, Sara Lilly Mount, Edoardo Serra, Alfredo Cuzzocrea

Computer Science Department

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

8 Scopus citations

Abstract

With the increasing prevalence of the internet, detecting malicious behavior is becoming a greater need. This problem can be formulated as an anomaly detection task on provenance data, where attacks are detectable as anomalies in the behavior of the system. While network data is quite prevalent, we focus on system logs and propose a novel approach with two main components. The first is to make use of the graph-like structure of the logs in which processes enact events and generate additional processes, using a graph neural network (GNN) to produce representations of each event which encode information about their neighboring events in an unsupervised manner. The second is to make use of the complex features such as command arguments which vary widely and cannot be used in the presented format as features in typical machine learning algorithms. If these features are instead encoded using transformer models, they can then be used in other algorithms such as a GNN or anomaly detector. These two approaches combined improve anomaly detection results for the BETH dataset by around 8 percent as compared to the manually engineered features alone.

Original language	English
Title of host publication	Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022
Editors	Shusaku Tsumoto, Yukio Ohsawa, Lei Chen, Dirk Van den Poel, Xiaohua Hu, Yoichi Motomura, Takuya Takagi, Lingfei Wu, Ying Xie, Akihiro Abe, Vijay Raghavan
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	5756-5764
Number of pages	9
ISBN (Electronic)	9781665480451
DOIs	https://doi.org/10.1109/BigData55660.2022.10020336
State	Published - 2022
Event	2022 IEEE International Conference on Big Data, Big Data 2022 - Osaka, Japan Duration: 17 Dec 2022 → 20 Dec 2022

Publication series

Name	Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022

Conference

Conference	2022 IEEE International Conference on Big Data, Big Data 2022
Country/Territory	Japan
City	Osaka
Period	17/12/22 → 20/12/22

Access to Document

10.1109/BigData55660.2022.10020336

Cite this

Lakha, B., Mount, S. L., Serra, E., & Cuzzocrea, A. (2022). Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer Based Model: A Case Study with BETH Dataset. In S. Tsumoto, Y. Ohsawa, L. Chen, D. Van den Poel, X. Hu, Y. Motomura, T. Takagi, L. Wu, Y. Xie, A. Abe, & V. Raghavan (Eds.), Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022 (pp. 5756-5764). (Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/BigData55660.2022.10020336

Lakha, Bishal ; Mount, Sara Lilly ; Serra, Edoardo et al. / Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer Based Model : A Case Study with BETH Dataset. Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022. editor / Shusaku Tsumoto ; Yukio Ohsawa ; Lei Chen ; Dirk Van den Poel ; Xiaohua Hu ; Yoichi Motomura ; Takuya Takagi ; Lingfei Wu ; Ying Xie ; Akihiro Abe ; Vijay Raghavan. Institute of Electrical and Electronics Engineers Inc., 2022. pp. 5756-5764 (Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022).

@inproceedings{56c83506a7c74a89985fe12595bd6197,

title = "Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer Based Model: A Case Study with BETH Dataset",

abstract = "With the increasing prevalence of the internet, detecting malicious behavior is becoming a greater need. This problem can be formulated as an anomaly detection task on provenance data, where attacks are detectable as anomalies in the behavior of the system. While network data is quite prevalent, we focus on system logs and propose a novel approach with two main components. The first is to make use of the graph-like structure of the logs in which processes enact events and generate additional processes, using a graph neural network (GNN) to produce representations of each event which encode information about their neighboring events in an unsupervised manner. The second is to make use of the complex features such as command arguments which vary widely and cannot be used in the presented format as features in typical machine learning algorithms. If these features are instead encoded using transformer models, they can then be used in other algorithms such as a GNN or anomaly detector. These two approaches combined improve anomaly detection results for the BETH dataset by around 8 percent as compared to the manually engineered features alone.",

author = "Bishal Lakha and Mount, {Sara Lilly} and Edoardo Serra and Alfredo Cuzzocrea",

note = "Publisher Copyright: {\textcopyright} 2022 IEEE.; 2022 IEEE International Conference on Big Data, Big Data 2022 ; Conference date: 17-12-2022 Through 20-12-2022",

year = "2022",

doi = "10.1109/BigData55660.2022.10020336",

language = "English",

series = "Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "5756--5764",

editor = "Shusaku Tsumoto and Yukio Ohsawa and Lei Chen and {Van den Poel}, Dirk and Xiaohua Hu and Yoichi Motomura and Takuya Takagi and Lingfei Wu and Ying Xie and Akihiro Abe and Vijay Raghavan",

booktitle = "Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022",

}

Lakha, B, Mount, SL, Serra, E & Cuzzocrea, A 2022, Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer Based Model: A Case Study with BETH Dataset. in S Tsumoto, Y Ohsawa, L Chen, D Van den Poel, X Hu, Y Motomura, T Takagi, L Wu, Y Xie, A Abe & V Raghavan (eds), Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022. Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022, Institute of Electrical and Electronics Engineers Inc., pp. 5756-5764, 2022 IEEE International Conference on Big Data, Big Data 2022, Osaka, Japan, 17/12/22. https://doi.org/10.1109/BigData55660.2022.10020336

Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer Based Model: A Case Study with BETH Dataset. / Lakha, Bishal; Mount, Sara Lilly; Serra, Edoardo et al.
Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022. ed. / Shusaku Tsumoto; Yukio Ohsawa; Lei Chen; Dirk Van den Poel; Xiaohua Hu; Yoichi Motomura; Takuya Takagi; Lingfei Wu; Ying Xie; Akihiro Abe; Vijay Raghavan. Institute of Electrical and Electronics Engineers Inc., 2022. p. 5756-5764 (Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer Based Model

T2 - 2022 IEEE International Conference on Big Data, Big Data 2022

AU - Lakha, Bishal

AU - Mount, Sara Lilly

AU - Serra, Edoardo

AU - Cuzzocrea, Alfredo

PY - 2022

Y1 - 2022

N2 - With the increasing prevalence of the internet, detecting malicious behavior is becoming a greater need. This problem can be formulated as an anomaly detection task on provenance data, where attacks are detectable as anomalies in the behavior of the system. While network data is quite prevalent, we focus on system logs and propose a novel approach with two main components. The first is to make use of the graph-like structure of the logs in which processes enact events and generate additional processes, using a graph neural network (GNN) to produce representations of each event which encode information about their neighboring events in an unsupervised manner. The second is to make use of the complex features such as command arguments which vary widely and cannot be used in the presented format as features in typical machine learning algorithms. If these features are instead encoded using transformer models, they can then be used in other algorithms such as a GNN or anomaly detector. These two approaches combined improve anomaly detection results for the BETH dataset by around 8 percent as compared to the manually engineered features alone.

AB - With the increasing prevalence of the internet, detecting malicious behavior is becoming a greater need. This problem can be formulated as an anomaly detection task on provenance data, where attacks are detectable as anomalies in the behavior of the system. While network data is quite prevalent, we focus on system logs and propose a novel approach with two main components. The first is to make use of the graph-like structure of the logs in which processes enact events and generate additional processes, using a graph neural network (GNN) to produce representations of each event which encode information about their neighboring events in an unsupervised manner. The second is to make use of the complex features such as command arguments which vary widely and cannot be used in the presented format as features in typical machine learning algorithms. If these features are instead encoded using transformer models, they can then be used in other algorithms such as a GNN or anomaly detector. These two approaches combined improve anomaly detection results for the BETH dataset by around 8 percent as compared to the manually engineered features alone.

UR - http://www.scopus.com/inward/record.url?scp=85147974473&partnerID=8YFLogxK

U2 - 10.1109/BigData55660.2022.10020336

DO - 10.1109/BigData55660.2022.10020336

M3 - Conference contribution

AN - SCOPUS:85147974473

T3 - Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022

SP - 5756

EP - 5764

BT - Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022

A2 - Tsumoto, Shusaku

A2 - Ohsawa, Yukio

A2 - Chen, Lei

A2 - Van den Poel, Dirk

A2 - Hu, Xiaohua

A2 - Motomura, Yoichi

A2 - Takagi, Takuya

A2 - Wu, Lingfei

A2 - Xie, Ying

A2 - Abe, Akihiro

A2 - Raghavan, Vijay

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 17 December 2022 through 20 December 2022

ER -

Lakha B, Mount SL, Serra E, Cuzzocrea A. Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer Based Model: A Case Study with BETH Dataset. In Tsumoto S, Ohsawa Y, Chen L, Van den Poel D, Hu X, Motomura Y, Takagi T, Wu L, Xie Y, Abe A, Raghavan V, editors, Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022. Institute of Electrical and Electronics Engineers Inc. 2022. p. 5756-5764. (Proceedings - 2022 IEEE International Conference on Big Data, Big Data 2022). doi: 10.1109/BigData55660.2022.10020336

Anomaly Detection in Cybersecurity Events Through Graph Neural Network and Transformer Based Model: A Case Study with BETH Dataset

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this