General-Purpose Unsupervised Cyber Anomaly Detection via Non-Negative Tensor Factorization
Abstract
Distinguishing malicious anomalous activities from unusual but benign activities is a fundamental challenge for cyber defenders. Prior studies have shown that statistical user behavior analysis yields accurate detections by learning behavior profiles from observed user activity. These unsupervised models are able to generalize to unseen types of attacks by detecting deviations from normal behavior, without knowledge of specific attack signatures. However, approaches proposed to date based on probabilistic matrix factorization are limited by the information conveyed in a two-dimensional space. Non-negative tensor factorization, on the other hand, is a powerful unsupervised machine learning method that naturally models multi-dimensional data, capturing complex and multi-faceted details of behavior profiles. Our new unsupervised statistical anomaly detection methodology matches or surpasses state-of-the-art supervised learning baselines across several challenging and diverse cyber application areas, including detection of compromised user credentials, botnets, spam e-mails, and fraudulent credit card transactions.
Keywords:
anomaly detection, Poisson tensor factorization, non-negative tensor factorization, unsupervised learning, cyber security, CPD, malware, data fusion, ensemble learning, GPU
Citation:
Maksim E. Eren, Juston S. Moore, Erik Skau, Elisabeth Moore, Manish Bhattarai, Gopinath Chennupati, and Boian S. Alexandrov. 2023. General-purpose Unsupervised Cyber Anomaly Detection via Non-negative Tensor Factorization. Digital Threats 4, 1, Article 6 (March 2023), 28 pages. https://doi.org/10.1145/3519602
BibTeX:
@article{10.1145/3519602,
author = {Eren, Maksim E. and Moore, Juston S. and Skau, Erik and Moore, Elisabeth and Bhattarai, Manish and Chennupati, Gopinath and Alexandrov, Boian S.},
title = {General-purpose Unsupervised Cyber Anomaly Detection via Non-negative Tensor Factorization},
year = {2023},
issue_date = {March 2023},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
volume = {4},
number = {1},
url = {https://doi.org/10.1145/3519602},
doi = {10.1145/3519602},
abstract = {Distinguishing malicious anomalous activities from unusual but benign activities is a fundamental challenge for cyber defenders. Prior studies have shown that statistical user behavior analysis yields accurate detections by learning behavior profiles from observed user activity. These unsupervised models are able to generalize to unseen types of attacks by detecting deviations from normal behavior without knowledge of specific attack signatures. However, approaches proposed to date based on probabilistic matrix factorization are limited by the information conveyed in a two-dimensional space. Non-negative tensor factorization, however, is a powerful unsupervised machine learning method that naturally models multi-dimensional data, capturing complex and multi-faceted details of behavior profiles. Our new unsupervised statistical anomaly detection methodology matches or surpasses state-of-the-art supervised learning baselines across several challenging and diverse cyber application areas, including detection of compromised user credentials, botnets, spam e-mails, and fraudulent credit card transactions.},
journal = {Digital Threats},
month = mar,
articleno = {6},
numpages = {28},
keywords = {Anomaly detection, Poisson tensor factorization, non-negative tensor factorization, unsupervised learning, cyber security, CPD, malware, data fusion, ensemble learning, GPU}
}
Maksim E. Eren
Scientist
My research interests lie at the intersection of the machine learning and cybersecurity disciplines, with a concentration in tensor decomposition.