Unsupervised intrusion detection through skip-gram models of network behavior

Detecting intrusions is one of the main objectives of computer security. Attacks have become overly sophisticated over the years in order to remain effective and stealthy. Major breaches are typically perpetrated using techniques that are polymorphic, multi-vector, multi-stage and targeted, that is, adopting forms that were never seen before. Anomaly detection, which does not make any assumption about the shape of a potential attack but instead on legitimate behavior, seems to be a suitable approach in order to defeat sophisticated intrusions. Skip-gram modeling, a word2vec algorithm variant, was leveraged to model systems' legitimate network behavior. The resulting model was then used to spot intrusions in a test dataset. The optimal configuration led to 99.20% precision, 82.07% recall, and 91.02% accuracy, with a false positive rate of 0.61%, which is significantly lower than most state-of-the-art methods. These metrics were achieved under a fully unsupervised setting, that is, without any prior knowledge of what constitutes an attack. Furthermore, the approach provides benefits in terms of interpretability and log storage requirements, as it requires a small amount of input features. It also produces information about systems behavior and their relationships, that can be reused by other analysis techniques to obtain further insights.