Peer-group Behaviour Analytics of Windows Authentications Events Using Hierarchical Bayesian Modelling

Peer-group Behaviour Analytics of Windows Authentications Events Using Hierarchical Bayesian Modelling

Cyber-security analysts face an increasingly large number of alerts received on any given day. This is mainly due to the low precision of many existing methods to detect threats, producing a substantial number of false positives. Usually, several signature-based and statistical anomaly detectors are...

Full description

Saved in:
Bibliographic Details
Main Authors: Hawryluk, Iwona, Hoeltgebaum, Henrique, Sodja, Cole, Lalicker, Tyler, Neil, Joshua
Format: Journal Article
Language:English
Published: 20-09-2022
Subjects:
Computer Science - Cryptography and Security
Statistics - Applications
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Cyber-security analysts face an increasingly large number of alerts received on any given day. This is mainly due to the low precision of many existing methods to detect threats, producing a substantial number of false positives. Usually, several signature-based and statistical anomaly detectors are implemented within a computer network to detect threats. Recent efforts in User and Entity Behaviour Analytics modelling shed a light on how to reduce the burden on Security Operations Centre analysts through a better understanding of peer-group behaviour. Statistically, the challenge consists of accurately grouping users with similar behaviour, and then identifying those who deviate from their peers. This work proposes a new approach for peer-group behaviour modelling of Windows authentication events, using principles from hierarchical Bayesian models. This is a two-stage approach where in the first stage, peer-groups are formed based on a data-driven method, given the user's individual authentication pattern. In the second stage, the counts of users authenticating to different entities are aggregated by an hour and modelled by a Poisson distribution, taking into account seasonality components and hierarchical principles. Finally, we compare grouping users based on their human resources records against the data-driven methods and provide empirical evidence about alert reduction on a real-world authentication data set from a large enterprise network.
DOI:10.48550/arxiv.2209.09769