Skip to main content
SpringerLink
Log in

DMNAED: A Novel Framework Based on Dynamic Memory Network for Abnormal Event Detection in Enterprise Networks

  • Conference paper
  • First Online:
Advances in Knowledge Discovery and Data Mining (PAKDD 2019)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 11439))

Included in the following conference series:

Abstract

Abnormal event detection is a crucial step towards discovering insider threat in enterprise networks. However, most existing anomaly detection approaches fail to capture latent correlations between disparate events in different domains due to the lack of a panoramic view or the disability of iterative attention. In light of this, this paper presents DMNAED, a novel framework based on dynamic memory network for abnormal event detection in enterprise networks. Inspired by question answering systems in natural language processing, DMNAED considers the event to be inspected as a question, and a sequence of multi-domain historical events serve as a context. Through an iterative attention process, DMNAED captures the context-question interrelation and aggregates relevant historical events to make more accurate anomaly detection. The experimental results on the CERT insider threat dataset r4.2 demonstrate that DMNAED exhibits more stable and superior performance compared with three baseline methods in identifying aberrant events in multi-user and multi-domain environments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508099.

References

  1. Beschastnikh, I., Brun, Y., Ernst, M.D., Krishnamurthy, A.: Inferring models of concurrent systems from logs of their behavior with CSight. In: 36th ICSE, pp. 468–479 (2014)

    Google Scholar 

  2. Buda, T.S., Caglayan, B., Assem, H.: DeepAD: a generic framework based on deep learning for time series anomaly detection. In: Phung, D., Tseng, V.S., Webb, G.I., Ho, B., Ganji, M., Rashidi, L. (eds.) PAKDD 2018. LNCS (LNAI), vol. 10937, pp. 577–588. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93034-3_46

    Chapter  Google Scholar 

  3. Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 15:1–15:58 (2009)

    Article  Google Scholar 

  4. Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)

    Article  Google Scholar 

  5. Du, M., Li, F., Zheng, G., Srikumar, V.: Deeplog: anomaly detection and diagnosis from system logs through deep learning. In: Proceedings of the 2017 ACM SIGSAC, CCS, pp. 1285–1298 (2017)

    Google Scholar 

  6. Gamachchi, A., Sun, L., Boztas, S.: Graph based framework for malicious insider threat detection. In: HICSS (2017)

    Google Scholar 

  7. Hossain, M.N., et al.: SLEUTH: real-time attack scenario reconstruction from COTS audit data. CoRR abs/1801.02062 (2018)

    Google Scholar 

  8. King, S.T., Chen, P.M.: Backtracking intrusions. ACM Trans. Comput. Syst. 23(1), 51–76 (2005)

    Article  Google Scholar 

  9. Kumar, A., et al.: Ask me anything: dynamic memory networks for natural language processing. In: ICML, pp. 1378–1387 (2016)

    Google Scholar 

  10. Lee, W., Hsu, W.H., Satoh, S.: Learning from cross-domain media streams for event-of-interest discovery. IEEE Trans. Multimed. 20(1), 142–154 (2018)

    Article  Google Scholar 

  11. Meng, F., Lou, F., Fu, Y., Tian, Z.: Deep learning based attribute classification insider threat detection for data security. In: DSC, pp. 576–581 (2018)

    Google Scholar 

  12. Nam, T.M., et al.: Self-organizing map-based approaches in DDoS flooding detection using SDN. In: ICOIN, pp. 249–254 (2018)

    Google Scholar 

  13. Nance, K., Marty, R.: Identifying and visualizing the malicious insider threat using bipartite graphs. In: HICSS, pp. 1–9 (2011)

    Google Scholar 

  14. Pei, K., et al.: HERCULE: attack story reconstruction via community discovery on correlated log graph. In: ACSAC, pp. 583–595 (2016)

    Google Scholar 

  15. Wang, Q., Xu, J., Chen, H., He, B.: Two improved continuous bag-of-word models. In: IJCNN (2017)

    Google Scholar 

  16. Yen, T.F., et al.: Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks. In: Proceedings of the 29th ACSAC, pp. 199–208 (2013)

    Google Scholar 

Download references

Acknowledgments

This research was supported by National Research and Development Program of China (No. 2017YFB1010000).

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Xueshuang Ren & Liming Wang

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Xueshuang Ren

Authors
  1. Xueshuang Ren
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Liming Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Liming Wang .

Editor information

Editors and Affiliations

  1. Hong Kong University of Science and Technology, Hong Kong, China

    Qiang Yang

  2. Nanjing University, Nanjing, China

    Zhi-Hua Zhou

  3. University of Macau, Taipa, Macau, China

    Zhiguo Gong

  4. Southeast University, Nanjing, China

    Min-Ling Zhang

  5. Nanjing University of Aeronautics and Astronautics, Nanjing, China

    Sheng-Jun Huang

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ren, X., Wang, L. (2019). DMNAED: A Novel Framework Based on Dynamic Memory Network for Abnormal Event Detection in Enterprise Networks. In: Yang, Q., Zhou, ZH., Gong, Z., Zhang, ML., Huang, SJ. (eds) Advances in Knowledge Discovery and Data Mining. PAKDD 2019. Lecture Notes in Computer Science(), vol 11439. Springer, Cham. https://doi.org/10.1007/978-3-030-16148-4_44

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-16148-4_44

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-16147-7

  • Online ISBN: 978-3-030-16148-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation