User Behavior Modeling and Anomaly Detection in Cybersecurity Data Using Deep Learning

Abstract

User behavior analytics is one of the trending topics nowadays in the field of cybersecurity. Traditionally people were not much concerned about attacks originating from intentional/unintentional actions of employees within the organization. The daily news about data breaches of different organizations from their own employees, the employers are becoming more concerned about the necessity to monitor user’s behavior within the network. This thesis work proposes an approach for user behavior analytics. In this thesis work, a mechanism to process and analyze raw events related to user actions have been described. The CERT insider threat dataset has been used for the research work. For each user in the dataset, the feature vectors for machine learning are prepared by extracting key information from corresponding raw events and aggregating the frequency of actions within the session window. The unsupervised learning called LSTM Autoencoder has been implemented for behavior learning and anomaly detection. The whole dataset i.e. feature vectors are divided chronologically with time ordering into training, validation and testing sets. The model is taught to learn normal behavior. During the testing phase, when the unseen behavior or anomaly pattern is fed, the model produces high reconstruction error which is an indication of an anomaly. From the experiment, it was found that test accuracy of 89.74%, True Positives of 90.53% and False Positives of 10.26%.