A0595
Title: General-purpose unsupervised cyber anomaly detection via non-negative tensor factorization
Authors: Maksim Eren - Los Alamos National Laboratory (United States) [presenting]
Juston Moore - Los Alamos National Laboratory (United States)
Erik Skau - Los Alamos National Laboratory (United States)
Elisabeth Moore - Los Alamos National Laboratory (United States)
Manish Bhattarai - Los Alamos National Laboratory (United States)
Gopinath Chennupati - Amazon (United States)
Boian Alexandrov - Los Alamos National Laboratory (United States)
Abstract: Distinguishing malicious anomalous activities from unusual but benign activities is a fundamental challenge for cyber defenders. Prior studies have shown that statistical user behaviour analysis yields accurate detections by learning behaviour profiles from observed user activity. These unsupervised models can generalize to unseen types of attacks by detecting deviations from normal behaviour without the knowledge of specific attack signatures. However, approaches proposed to date based on probabilistic matrix factorization are limited by the information conveyed in a two-dimensional space. On the other hand, non-negative tensor factorization is a powerful unsupervised machine learning method that naturally models multi-dimensional data, capturing complex and multi-faceted details of behaviour profiles, allowing us to improve the sensitivity and specificity for anomaly detection tasks. The new unsupervised statistical anomaly detection methodology matches or surpasses state-of-the-art supervised learning baselines across several challenging and diverse cyber application areas, including detecting compromised user credentials, botnets, spam e-mails, and fraudulent credit card transactions. Our methodology is based on our SmartTensors AI project (winner of R\&D100 2021), a platform for accurate tensor decomposition algorithms that can scale to extra-large datasets.