SIERRA: Ranking Anomalous Activities in Enterprise Networks

by   Jehyun Lee, et al.

An enterprise today deploys multiple security middleboxes such as firewalls, IDS, IPS, etc. in its network to collect different kinds of events related to threats and attacks. These events are streamed into a SIEM (Security Information and Event Management) system for analysts to investigate and respond quickly with appropriate actions. However, the number of events collected for a single enterprise can easily run into hundreds of thousands per day, much more than what analysts can investigate under a given budget constraint (time). In this work, we look into the problem of prioritizing suspicious events or anomalies to analysts for further investigation. We develop SIERRA, a system that processes event logs from multiple and diverse middleboxes to detect and rank anomalous activities. SIERRA takes an unsupervised approach and therefore has no dependence on ground truth data. Different from other works, SIERRA defines contexts, that help it to provide visual explanations of highly-ranked anomalous points to analysts, despite employing unsupervised models. We evaluate SIERRA using months of logs from multiple security middleboxes of an enterprise network. The evaluations demonstrate the capability of SIERRA to detect top anomalies in a network while outperforming naive application of existing anomaly detection algorithms as well as a state-of-the-art SIEM-based anomaly detection solution.


page 1

page 2

page 3

page 4


The Analysis of Online Event Streams: Predicting the Next Activity for Anomaly Detection

Anomaly detection in process mining focuses on identifying anomalous cas...

Detecting Port and Net Scan using Apache Spark

Today, due to the high number of attacks and of anomalous events in netw...

IsoEx: an explainable unsupervised approach to process event logs cyber investigation

39 seconds. That is the timelapse between two consecutive cyber attacks ...

A compression based framework for the detection of anomalies in heterogeneous data sources

Nowadays, information and communications technology systems are fundamen...

A Rule Mining-Based Advanced Persistent Threats Detection System

Advanced persistent threats (APT) are stealthy cyber-attacks that are ai...

Discrete neural representations for explainable anomaly detection

The aim of this work is to detect and automatically generate high-level ...

Please sign up or login with your details

Forgot password? Click here to reset