Title: Peer-group behavior analytics modelling with mutually exciting point process graphs
Authors: Henrique Helfer Hoeltgebaum - Securonix (United Kingdom) [presenting]
Francesco Sanna Passino - Imperial College London (United Kingdom)
Abstract: The increasingly complex threat technology adopted by malicious entities to evade existing defences in cyber environments is a growing concern for society. Cyber-security analysts have difficulties coping with the increasingly large number of alerts received on any given day. This is mainly due to the low precision of existing detectors, which end up producing a substantial number of false positives. Usually, several signature-based and statistical anomaly detectors are implemented within a computer network to detect threats. The precision of the alerts passed to cyber-security analysts could be increased by studying the correlation structure between such detectors. Statistically, this challenge consists in estimating causal relationships between point processes of alerts. To this end, we extend a recently proposed class of models for dynamic networks called mutually exciting point process graphs, which allow for an unknown latent graph structure between node-specific point processes, where each node in the graph is a detector. Furthermore, different classes of users might be associated with different dependency structures across alerts. Motivated by these concerns, we further extend mutually exciting point process graphs to allow for the estimation of group-specific graphs of dependencies between detectors, with the goal of quantifying when individual user activity is unlikely based on the behaviour of similar users within the network.