GraphBAD: A General Technique for Anomaly Detection in Security Information and Event Management

Research output: Contribution to journalArticle

2 Citations (Scopus)

Abstract

The reliance on expert knowledge –required for analysing security logs and performing security audits– has created an unhealthy balance where many computer users are not able to correctly audit their security configurations and react to potential security threats. The decreasing cost of IT and the increasing use of technology in domestic life is exacerbating this problem where small companies and home IT users are not able to afford the price of experts for auditing their systems configuration.

In this paper we present GraphBAD, a graph-based analysis tool able to analyse security configurations in order to identify anomalies that could lead to potential security risks. \system{}, which does not require any prior domain knowledge, generates graph-based models from security configuration data and, by analysing such models, is able to propose mitigation plans that can help computer users in increasing the security of their systems. A large experimental analysis, conducted on both publicly available (the well-known KDD dataset) and synthetically generated testing sets (file system permissions), demonstrates the ability of GraphBAD in correctly identifying security configurations anomalies and suggesting appropriate mitigation plans.
LanguageEnglish
Article numbere4433
Number of pages16
JournalConcurrency Computation Practice and Experience
Volume30
Issue number16
Early online date28 Jan 2018
DOIs
Publication statusPublished - 25 Aug 2018

Fingerprint

Information Security
Anomaly Detection
Configuration
Testing
Audit
Costs
Industry
Anomaly
Auditing
Set Systems
File System
Domain Knowledge
Experimental Analysis
Graph in graph theory
Prior Knowledge

Cite this

@article{559da2f199e146adbc3798d4cf0dee93,
title = "GraphBAD: A General Technique for Anomaly Detection in Security Information and Event Management",
abstract = "The reliance on expert knowledge –required for analysing security logs and performing security audits– has created an unhealthy balance where many computer users are not able to correctly audit their security configurations and react to potential security threats. The decreasing cost of IT and the increasing use of technology in domestic life is exacerbating this problem where small companies and home IT users are not able to afford the price of experts for auditing their systems configuration. In this paper we present GraphBAD, a graph-based analysis tool able to analyse security configurations in order to identify anomalies that could lead to potential security risks. \system{}, which does not require any prior domain knowledge, generates graph-based models from security configuration data and, by analysing such models, is able to propose mitigation plans that can help computer users in increasing the security of their systems. A large experimental analysis, conducted on both publicly available (the well-known KDD dataset) and synthetically generated testing sets (file system permissions), demonstrates the ability of GraphBAD in correctly identifying security configurations anomalies and suggesting appropriate mitigation plans.",
keywords = "anomaly detection, graph structure, log files, security auditing, SIEM",
author = "Simon Parkinson and Mauro Vallati and Andrew Crampton and Shirin Sohrabi",
year = "2018",
month = "8",
day = "25",
doi = "10.1002/cpe.4433",
language = "English",
volume = "30",
journal = "Concurrency Computation Practice and Experience",
issn = "1532-0626",
publisher = "John Wiley and Sons Ltd",
number = "16",

}

TY - JOUR

T1 - GraphBAD

T2 - Concurrency Computation Practice and Experience

AU - Parkinson, Simon

AU - Vallati, Mauro

AU - Crampton, Andrew

AU - Sohrabi, Shirin

PY - 2018/8/25

Y1 - 2018/8/25

N2 - The reliance on expert knowledge –required for analysing security logs and performing security audits– has created an unhealthy balance where many computer users are not able to correctly audit their security configurations and react to potential security threats. The decreasing cost of IT and the increasing use of technology in domestic life is exacerbating this problem where small companies and home IT users are not able to afford the price of experts for auditing their systems configuration. In this paper we present GraphBAD, a graph-based analysis tool able to analyse security configurations in order to identify anomalies that could lead to potential security risks. \system{}, which does not require any prior domain knowledge, generates graph-based models from security configuration data and, by analysing such models, is able to propose mitigation plans that can help computer users in increasing the security of their systems. A large experimental analysis, conducted on both publicly available (the well-known KDD dataset) and synthetically generated testing sets (file system permissions), demonstrates the ability of GraphBAD in correctly identifying security configurations anomalies and suggesting appropriate mitigation plans.

AB - The reliance on expert knowledge –required for analysing security logs and performing security audits– has created an unhealthy balance where many computer users are not able to correctly audit their security configurations and react to potential security threats. The decreasing cost of IT and the increasing use of technology in domestic life is exacerbating this problem where small companies and home IT users are not able to afford the price of experts for auditing their systems configuration. In this paper we present GraphBAD, a graph-based analysis tool able to analyse security configurations in order to identify anomalies that could lead to potential security risks. \system{}, which does not require any prior domain knowledge, generates graph-based models from security configuration data and, by analysing such models, is able to propose mitigation plans that can help computer users in increasing the security of their systems. A large experimental analysis, conducted on both publicly available (the well-known KDD dataset) and synthetically generated testing sets (file system permissions), demonstrates the ability of GraphBAD in correctly identifying security configurations anomalies and suggesting appropriate mitigation plans.

KW - anomaly detection

KW - graph structure

KW - log files

KW - security auditing

KW - SIEM

UR - http://onlinelibrary.wiley.com/journal/10.1002/(ISSN)1532-0634

UR - http://www.scopus.com/inward/record.url?scp=85041032110&partnerID=8YFLogxK

U2 - 10.1002/cpe.4433

DO - 10.1002/cpe.4433

M3 - Article

VL - 30

JO - Concurrency Computation Practice and Experience

JF - Concurrency Computation Practice and Experience

SN - 1532-0626

IS - 16

M1 - e4433

ER -