WEAPON: AN UNSUPERVISED LEARNING ARCHITECTURE FOR USER BEHAVIOR ANOMALY DETECTION
1 - User Behavior Anomalies
2 - Anomaly Detection
3 - Cybersecurity
4 - Autoencoder
In recent years, user behavior anomaly detection has been gaining attention in cybersecurity. A crucial challenge that has been discussed in the literature is that supervised models that use vast amounts of data for training do not apply to real scenarios for anomaly detection. In contrast, unsupervised models tend to face scalability problems with respect to the number of users in the dataset, since they address behavioral aspects on an individual basis for each user. Within this context, the requirement to gather datasets with labeled behavior anomalies has proven to be a significant limiting factor for evaluating different models, and this limitation is explored in this research. This work presents WEAPON, an architecture for user behavior anomaly detection based on Wide and Deep Convolutional LSTM Autoencoders. WEAPON uses unsupervised learning and requires a small amount of data to build behavior profiles considering the individuality of each user. Furthermore, WEAPON implements weak supervision-based behavior anomaly labeling approach using Snorkel. When compared to other approaches, WEAPON proved to be more efficient, surpassing the ROC curve of the second best model by 4.31%. Furthermore, WEAPON outperforms rule-based methods by finding anomalies that an expert would not anticipate