Adaptive User Profiling with Online Incremental Machine Learning for Security Information and Event Management

Sharma, Dilli P.; Kaur, Barjinder; Shoeleh, Farzaneh; Erfani, Masoud; Le, Duc-Phong; Lashkari, Arash Habibi; Ghorbani, Ali A.

Home // SECURWARE 2021, The Fifteenth International Conference on Emerging Security Information, Systems and Technologies // View article

Adaptive User Profiling with Online Incremental Machine Learning for Security Information and Event Management

Authors:
Dilli P. Sharma
Barjinder Kaur
Farzaneh Shoeleh
Masoud Erfani
Duc-Phong Le
Arash Habibi Lashkari
Ali A. Ghorbani

Keywords: Machine learning; anomaly detection; cybersecurity; user profiling; incremental learning

Abstract:
In the past few years, there has been an exponential growth in network and Internet traffic. This trend will continue to increase due to digitalization and resulting in more inter-connectivity among the users. Due to this, more data has started being treated as streaming data. This data distribution, mostly non-stationary, high-speed, and infinite length, contains information regarding user activities. Thus, it is essential to provide an anomaly detection model that can deal with the evolving nature of data, update, adapt, and give system administrators timely action and minimize false alarms. This paper proposes a dynamic and adaptable user profiling for security information and event management system using online incremental machine learning. An anomaly detection-based user profiling technique dynamically learns users' activities and updates their profiles over time. The experiments to detect anomalous activities is performed on datasets generated in realistic scenario based on user's activities and recorded in three different time windows (e.g., 30-minutes, 1-hour, and 2-hour) of a month. The system's efficacy is evaluated with the Isolation Forest (iForest) approach to detect anomalies in incremental learning settings for all the datasets. We further compared the performance of our proposed incremental approach with a non-incremental baseline model in terms of the detection of abnormal user activities. The experimental results show that our proposed incremental model outperformed its baseline counterpart model. It can be used more opportunistically to profile users as a component of Security Information and Event Management (SIEM) systems.

Pages: 82 to 87

Copyright: Copyright (c) IARIA, 2021

Publication date: November 14, 2021

Published in: conference

ISSN: 2162-2116

ISBN: 978-1-61208-919-5

Location: Athens, Greece

Dates: from November 14, 2021 to November 18, 2021