Anomaly Detection in Log Data using Graph Databases and Machine Learning to Defend Advanced Persistent Threats

Abstract: Advanced Persistent Threats (APTs) are a main impendence in cyber security of computer networks. In 2015, a successful breach remains undetected 146 days on average, reported by [Fi16].With our work we demonstrate a feasible and fast way to analyse real world log data to detect breaches or breach attempts. By adapting well-known kill chain mechanisms and a combine of a time series database and an abstracted graph approach, it is possible to create flexible attack profiles. Using this approach, it can be demonstrated that the graph analysis successfully detects simulated attacks by analysing the log data of a simulated computer network. Considering another source for log data, the framework is capable to deliver sufficient performance for analysing real-world data in short time. By using the computing power of the graph database it is possible to identify the attacker and furthermore it is feasible to detect other affected system components. We believe to significantly reduce the detection time of breaches with this approach and react fast to new attack vectors.