Visible to the public Detecting Malicious Authentication Events Trustfully

TitleDetecting Malicious Authentication Events Trustfully
Publication TypeConference Paper
Year of Publication2018
AuthorsKaiafas, G., Varisteas, G., Lagraa, S., State, R., Nguyen, C. D., Ries, T., Ourdane, M.
Conference NameNOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium
Date Publishedapr
Keywordsanomaly detection, authentication, authentication event, Bipartite graph, Collaboration, Computational modeling, false attacks, false negative rate, false positive rate, false trust, feature extraction, Forestry, learning (artificial intelligence), legitimate user behavior, logistic regression model, Logistics, LogitBoost model, Los Alamos dataset, malicious authentication event detection, malicious class, pattern classification, policy-based governance, Predictive models, pubcrawl, random forest model, regression analysis, resilience, Resiliency, Scalability, security logs, supervised learning technique, Trusted Computing, trustful predictions, ultimately majority voting model

Anomaly detection on security logs is receiving more and more attention. Authentication events are an important component of security logs, and being able to produce trustful and accurate predictions minimizes the effort of cyber-experts to stop false attacks. Observed events are classified into Normal, for legitimate user behavior, and Malicious, for malevolent actions. These classes are consistently excessively imbalanced which makes the classification problem harder; in the commonly used Los Alamos dataset, the malicious class comprises only 0.00033% of the total. This work proposes a novel method to extract advanced composite features, and a supervised learning technique for classifying authentication logs trustfully; the models are Random Forest, LogitBoost, Logistic Regression, and ultimately Majority Voting which leverages the predictions of the previous models and gives the final prediction for each authentication event. We measure the performance of our experiments by using the False Negative Rate and False Positive Rate. In overall we achieve 0 False Negative Rate (i.e. no attack was missed), and on average a False Positive Rate of 0.0019.

Citation Keykaiafas_detecting_2018