A compression-based method for detecting anomalies in textual data

Nowadays, information and communications technology systems are fundamental assets of our social and economical model, and thus they should be properly protected against the malicious activity of cybercriminals. Defence mechanisms are generally articulated around tools that trace and store informati...

Descripción completa

Detalles Bibliográficos
Autores: de la Torre-Abaitua, Gonzalo, Lago Fernández, Luis Fernando, Arroyo, David
Tipo de recurso: artículo
Fecha de publicación:2021
País:España
Institución:Universidad Autónoma de Madrid
Repositorio:Biblos-e Archivo. Repositorio Institucional de la UAM
Idioma:inglés
OAI Identifier:oai:repositorio.uam.es:10486/699120
Acceso en línea:http://hdl.handle.net/10486/699120
https://dx.doi.org/10.3390/e23050618
Access Level:acceso abierto
Palabra clave:Anomaly detection
Data-driven security
Intrusion detection systems
Normalized compression distance
Text mining
Informática
Descripción
Sumario:Nowadays, information and communications technology systems are fundamental assets of our social and economical model, and thus they should be properly protected against the malicious activity of cybercriminals. Defence mechanisms are generally articulated around tools that trace and store information in several ways, the simplest one being the generation of plain text files coined as security logs. Such log files are usually inspected, in a semi-automatic way, by security analysts to detect events that may affect system integrity, confidentiality and availability. On this basis, we propose a parameter-free method to detect security incidents from structured text regardless its nature. We use the Normalized Compression Distance to obtain a set of features that can be used by a Support Vector Machine to classify events from a heterogeneous cybersecurity environment. In particular, we explore and validate the application of our method in four different cybersecurity domains: HTTP anomaly identification, spam detection, Domain Generation Algorithms tracking and sentiment analysis. The results obtained show the validity and flexibility of our approach in different security scenarios with a low configuration burden