Federated anomaly detection for log-based defense systems

Abstract

The adaptation of Industry 4.0 and IoT creates a vast network which opens up various new vulnerabilities to systems. Increasing number of cyber attacks becomes more sophisticated which impedes functionality of enterprises and critical infrastructures. Malfunctioning of the services of these systems can cause catastrophic results considering wealth and well-being of a society. Organizations need an intelligent defense system which is adaptable to newer threats to create rapid solutions. Anomaly detection is widely adopted protection step and is significant for ensuring a system security. Logs, which are accepted sources universally, are utilized in debugging, system health monitoring, user authorization and access control systems and intrusion detection systems. Recent developments in Deep Learning (DL) and Natural Language Processing (NLP) show that contextual information decreases false-positives yield in detection of anomalous behaviors. Additionally, decentralization and exponentially increased number of data sources make traditional machine learning algorithms impractical. Federated Learning (FL) brings a solution to overcome decentralization and privacy issues. It aims to employ participating devices to learn from own data and sending local models for global convergence over secure communication. FL provides data security and decreases communication cost greatly, since local data is not transported to a central server. In a volatile cyber domain, it is a necessity to take a quick precautions for potential threats. The benefits of FL ensure building a defense system which provides realtime detection of cyber attacks. In this thesis, we propose a novel anomaly detection model and risk-adaptive feder ated approach. First, AnomalyAdapters (AAs) which is an extensible multi-anomaly task detection model. It uses pretrained transformers’ variant to encode log sequences and utilizes adapters to learn a log structure and anomaly types. Adapterbased approach collects contextual information, eliminates information loss in learn ing, and learns anomaly detection tasks from different log sources without overuse of parameters. Moreover, evaluation of this work elucidates the decision making process of the proposed model on different log datasets to emphasize extraction of threat data via explainability experiments. Lastly, Risk-adaptive anomaly detection with federated learning (FedRA) which is based on the idea of Spreading Phenomena. It decentralizes the aforementioned detection approach and adapts weighting of shared parameters to ensure capturing incoming cyber attacks in a timely manner.