Combining K-Means and XGBoost Models for Anomaly Detection Using Log Datasets

Authors

Abstract

Computing and networking systems traditionally record their activity in log files, which have been used for multiple purposes such as troubleshooting, accounting, post-incident analysis of security breaches, capacity planning and anomaly detection. In earlier systems those log files were processed manually by systems administrators, or with the support of basic applications for filtering, compiling and pre-processing the logs for specific purposes. However, as the volume of these log files continues to grow (more logs per system, more systems per domain), it is becoming increasingly difficult to process those logs using traditional tools, especially for less straightforward purposes such as anomaly detection. On the other hand, as systems continue to become more complex, the potential of using large data-sets built of logs from heterogeneous sources for detecting anomalies without prior domain knowledge becomes higher. Anomaly detection tools for such scenarios face two challenges. First, to devise appropriate data analysis solutions for effectively detecting anomalies from large data sources, possibly without prior domain knowledge. Second, to adopt data processing platforms able to cope with the large data-sets and complex data analysis algorithms required for such purposes. In this paper we address those challenges by proposing an integrated scalable framework that aims at efficiently detecting anomalous events on large amounts of unlabeled data logs. Detection is supported by clustering and classification methods that take advantage of parallel computing techniques in environments. We validate our approach using the the well known NASA HTTP logs data-sets. Fourteen features were extracted in order to train a K-Means model for separating anomalous and normal events in highly coherent clusters. A second model, making use of the XGBoost system implementing a Gradient Tree Boosting algorithm, uses the previous binary clustered data for producing a set of simple interpretable rules. These rules represent the rationale for generalizing its application over massive number of unseen events in a distributed computing environment. The classified anomaly events produced by our framework can be used, for instance, as candidates for further forensic and compliance auditing analysis in security management.

Keywords

Anomaly detection; Clustering; K-Means; Gradient Tree Boosting; XGBoost

Related Project

H2020 ATENA (Advanced Tools to assEss and mitigate the criticality of ICT compoNents and their dependencies over Critical InfrAstructures)

Journal

Electronics (ISSN 2079-9292). Special Issue "Advanced Cybersecurity Services Design", Vol. 9, #1164, July 2020

PDF File

DOI