Sec2graph: Network Attack Detection Based on Novelty Detection on Graph Structured Data

International audienceDetecting attacks against information systems is hard because of the highly distributed, heterogeneous and evolving nature of these systems, as well as because the threat landscape is constantly evolving. Being able to timely detect new kinds of attacks without generating too many false alarms is especially challenging. To tackle this challenge, many researchers proposed various anomaly detection techniques, that aim at identifying events that are inconsistent with past observations. Nowadays, supervised learning is often used to that end. Unfortunately, in the wild, security experts generally do not have labeled datasets and labeling their data would be excessively expensive. Unsupervised learning that does not require labeled data should then be used preferably, even if until now unsupervised approaches lead to less pertinent results than supervised ones. We introduce in this paper a representation of log files of various types in a unified and unique graph representation so-called security objects' graphs. This representation that mix and link events of different kinds constitute a rich description of the activities to be analyzed. To detect anomalies in these graphs, we propose an unsupervised learning approach based on auto-encoder. Our hypothesis is that as security objects' graphs bring a rich vision of the normal situation, an auto-encoder is able to build a relevant model of this situation. To validate this hypothesis, we apply this approach to the CICIDS20017 dataset and show that although our approach is unsupervised, its detection results are as good, and even better or much better, than those obtained by many supervised approaches