Wrongdoing Monitor: A Graph-Based Behavioral Anomaly Detection in Cyber Security

The so-called behavioral anomaly detection (BAD) is expected to solve effectively a variety of security issues by detecting the deviances from normal behavioral patterns of protected agents. We propose a new graph-based behavioral modeling paradigm for BAD problem, named behavioral identification graph (BIG), which has distinct advantages over existing methods by mining deeply the property-level (as an enhancement to the event-level ) associations in behavioral data. Under BIG, the behavioral properties and their co-occurrence associations in behavioral data are modeled as the entities and relationships of graph, respectively; furthermore, behavioral properties and events are both vectorized by a devised event-property composite model, and the behavioral patterns of agents are finally represented as a multidimensional spatial distribution of behavioral properties. Consequently, for a behavior, the intensity of its behavioral anomaly can be transformed into the spatial decentrality of its behavioral agent and properties which contain both fine-grained information between behavioral properties and coarse-grained information between behavioral events. To the best of our knowledge, this is the first work to improve behavioral modeling for anomaly detection by integrating inter (event-level) and intra (property-level) associations of behaviors into a unified graph and space. Our method is validated by four representative security issues, i.e., fraud detection in online payment services (by transaction behaviors), intrusion detection in network communication services (by traffic behaviors), insider threat detection in organizational information systems (by system behaviors), and compromise detection in social networking services (by trajectory behaviors).