A compression-based method for detecting anomalies in textual data
Entity
UAM. Departamento de Ingeniería InformáticaPublisher
MDPIDate
2021-05-16Citation
10.3390/e23050618
Entropy 23.5 (2021): 618
ISSN
1099-4300DOI
10.3390/e23050618Funded by
This research has received funding from the European Union’s Horizon 2020 Research and Innovation Programme under grant agreement No. 872855 (TRESCA project), from the Comunidad de Madrid (Spain) under the projects CYNAMON (P2018/TCS-4566) and S2017/BMD-3688, co-financed with FSE and FEDER EU funds, by the Consejo Superior de Investigaciones Científicas (CSIC) under the project LINKA20216 (“Advancing in cybersecurity technologies”, i-LINK+ program), and by Spanish project MINECO/FEDER TIN2017-84452-RProject
info:eu-repo/grantAgreement/EC/H2020/872855/EU//TRESCA; Comunidad de Madrid. P2018/TCS-4566/CYNAMON; Comunidad de Madrid. S2017/BMD-3688/MULTITARGET&VIEW-CM; Gobierno de España. TIN2017-84452-REditor's Version
https://doi.org/10.3390/e23050618Subjects
Anomaly detection; Data-driven security; Intrusion detection systems; Normalized compression distance; Text mining; InformáticaRights
© 2021 by the authorsAbstract
Nowadays, information and communications technology systems are fundamental assets of our social and economical model, and thus they should be properly protected against the malicious activity of cybercriminals. Defence mechanisms are generally articulated around tools that trace and store information in several ways, the simplest one being the generation of plain text files coined as security logs. Such log files are usually inspected, in a semi-automatic way, by security analysts to detect events that may affect system integrity, confidentiality and availability. On this basis, we propose a parameter-free method to detect security incidents from structured text regardless its nature. We use the Normalized Compression Distance to obtain a set of features that can be used by a Support Vector Machine to classify events from a heterogeneous cybersecurity environment. In particular, we explore and validate the application of our method in four different cybersecurity domains: HTTP anomaly identification, spam detection, Domain Generation Algorithms tracking and sentiment analysis. The results obtained show the validity and flexibility of our approach in different security scenarios with a low configuration burden
Files in this item
Google Scholar:de la Torre-Abaitua, Gonzalo
-
Lago Fernández, Luis Fernando
-
Arroyo, David
This item appears in the following Collection(s)
Related items
Showing items related by title, author, creator and subject.
-
Supervised Hyperparameter Estimation for Anomaly Detection
Bella, Juan; Fernández, Ángela; Dorronsoro, José R.
2020-11-04