Overview / Usage

This project develops an explainable recurrent neural network that uses anomaly detection to identify malicious threats within the Windows operating system. This is particularly useful against advanced persistent threats (APTs), which are long-term cyber-attackers that are well-resourced and target specific organisations with high-value data. The sophistication of APTs allows them to evade detection from traditional cyber defence mechanisms such as network firewalls. However, as APTs generally aim to steal information from their target systems, there is a need for them to use customised computer programs to achieve their objective. The running of these processes will differ from the typical user behaviour, therefore leaving detectable traces within the operating system’s event logs. This project hence aims to capitalise on this to detect anomalous behaviour quickly and robustly, so that system users and administrators are quickly alerted to the presence of cyber threats and can take appropriate measures to contain the problem.

This project also aims to go one step further and introduce explainable elements into the neural network. Although neural networks boast high prediction accuracies, the hidden nature of their internal structures makes it challenging to understand the reasoning behind the inferences. In this particular application, it is difficult to determine the specific features that are responsible for an event log being flagged as anomalous. To introduce greater transparency, this project will incorporate elements to provide contextualised explanations for the network’s chosen anomalies. This would be helpful for cybersecurity analysts who could then better understand the nature of the threats that they are dealing with.

CADNET is innovative because it is one of the first explainable neural networks to be used in anomaly detection, especially for cybersecurity purposes. Its baseline establishment for comparison and specific targeting of problem areas within each data log are key improvements and advances in the explainable AI field.

Methodology / Approach

A long-short term variant of a recurrent neural network was implemented using Tensorflow and the Keras application programming interface. The recurrent neural network structure was chosen for its distinctive ability to deal with sequential data, which is relevant in this project’s context. A relevant paper by Tuor et al. (https://arxiv.org/pdf/1712.00557.pdf) was referenced and improved upon in the course of this project by optimising the network hyperparameters.

Explainability was incorporated into the neural network through the implementation of a per-token sequence splitting method for calculation of individual field loss contribution, as well as the construction of a dictionary for norm-finding purposes. Combining these elements, this project aims to identify malicious event logs, and provide the reason for it being flagged as anomalous. In addition, a baseline is established for comparison to check for disparities within the log.

The project was trained and tested using the authentication logs provided by the Los Alamos National Laboratory (https://csr.lanl.gov/data/cyber1/). This project will also be extended in the future to cover API calls within the Windows operating system in addition to event logs, with the possibility of utilising the Windows malware API call dataset ( https://arxiv.org/pdf/1905.01999.pdf).

The project is currently in development, but results are looking promising. The neural network is currently able to achieve an accuracy rate of 83% with a low false positive rate of 5.6%, which surpasses results published by Tuor et al. An example of the enhanced explainable neural network output in its current state is as follows:

• Anomaly in u737@dom1, u737@dom1, c17693, c2578, ntlm, network, logon, success
• High Loss Field: Source Computer (c17693) with Loss of 24.803308
• Norm is 'c19497' with Loss of 1.6954098
• New Total Loss is 13.248317680966466 VS 41.059318266522496

The information obtained in the example is useful in showing the reasoning behind the neural network's predictions. It is evident that the 'Source Computer' field has the highest loss and contributes the most to the total loss value associated with the event log. A replacement in the form of "c19497" is proposed; with the replacement of the original value "c17693" with "c19497", the loss value of the event log decreases by 67.7%. Cybersecurity analysts looking at the output can hence surmise that the event describes a potentially malicious program that is using a computer that the typical user does not use, hence the account may be compromised. Swift action can then be taken to address this issue, thus containing the problem and ensuring the health of the protected system.

The proposed framework's additions to a traditional neural network structure for explainable AI have also been proven to work quickly and with minimal impact. The norm-finding process took approximately 200 microseconds per log, and was responsible for only 2% of the time taken for the full run of the neural network. This remarkable efficiency makes the system suitable for daily use by cybersecurity analysts.

Technologies Used

Tensorflow, Keras, Numpy, Scipy, Matplotlib Python packages were used in the development of this project. Google Colaboratory (GPU) was used for some training and testing, while most parts of the work were completed on an Intel Xeon server setup with Nvidia Titan X GPU cards, as well as an Intel Core i7 desktop with a Nvidia GTX 980 GPU card.