Abstract:
Given the frequent cybersecurity incidents, anomaly detection methods have been widely employed for the identification of malicious behaviors. However, these anomalous accesses often exhibit prominent characteristics only in certain attribute fields, rendering the detection results susceptible to interference from attributes where anomalies are less prominent. To address this issue, MNDetecctor, an anomaly access detection framework that introduces the multiplex network structure into this field is proposed. Through association analysis, closely associated attribute fields are constructed into single-layer networks, with cross-layer connections added to form a multiplex network. Subsequently, cross-layer walks are performed to obtain node sequences within the same layer and across layers, facilitating node embedding. Ultimately, a hierarchical generative adversarial network is employed to merge reconstruction losses and discriminative results across different layers, thereby achieving anomaly access detection. Experimental results demonstrate that MNDetector surpasses the performance of state-of-the-art detection methods on multiple public datasets, achieving an approximately 8% increase in
F1 score compared to commonly used methods. In-depth case studies elucidate the variation in detection outcomes across diverse scenarios by analyzing the distribution of anomalous attributes within fields. Furthermore, an examination from a network structural perspective clarifies the disparities among results obtained from different layers, substantiating MNDetector's efficacy in addressing the attribute interference issue caused by attribute fields with insignificant anomalous characteristics.