Interpretable cyber-attack detection via unsupervised Bayesian modelling of categorical sequences
Attacks Detection; Bayesian modelling
Sequences of categorical data are common in cyber-security data, including event logs, network connections and command-line sessions. Statistical machine learning can be used to model the normal behaviour of these sequences for anomaly detection, or to identify and interpret cyber-attack patterns. However, many existing models for categorical sequences assume exchangeable or first-order dependent sequence elements, which fail to capture the complex, long-range dependencies often encountered in cyber-security data.
In this talk, I propose a Bayesian modelling framework that can capture sophisticated dependence structures in categorical sequences with parsimony and memory efficiency suitable for real-time data processing. The framework uses a variable-order Markov model that automatically learns the optimal context length, i.e., the number of preceding elements in a sequence considered when predicting the next element, while clustering elements for a further dimensionality reduction. Unsupervised learning algorithms based on marginal likelihoods are used for model training. Preliminary results show significant improvements in the predictive capability of the proposed method compared to standard, fixed-order Markov models.