Tracing Privilege Misuse Through Behavioral Anomaly Detection in Geometric Spaces

• Published in: 2020 13th International Conference on Systematic Approaches to Digital Forensic Engineering (SADFE) pp. 22 - 31
• Main Authors: Duessel, Patrick, Luo, Shoufu, Flegel, Ulrich, Dietrich, Sven, Meier, Michael
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.05.2020
• Subjects: attributed language models; log analysis; Machine learning; Operating systems; Organizations; privilege misuse; Rendering (computer graphics); Servers; Support vector machines; Systematics
• DOI: 10.1109/SADFE51007.2020.00012

Privilege misuse is a common technique used by insiders to ex-filtrate proprietary information or sabotage organizations. Although operating systems provide means to log security-related activities indicators of compromise are often difficult to detect due to the often proprietary nature of logging mechanisms in place - rendering the analysis of log files a daunting task. In this contribution we present a format-agnostic approach to detect privilege misuse based on rule-free user activity models learned over security audit logs typically provided by servers. We investigate language model based feature types (i.e. token grams, temporal token grams and attributed token grams) using One-Class Support Vector Machines (OC-SVM). We conduct experiments on synthetic as well as real-world data collected on Microsoft Windows 2008 servers to investigate the effect of feature types and similarity measures and demonstrate usability of this approach for privilege misuse detection as part of an insider threat detection program.