Normality Shift Identification for Anomaly Detection of Windows Event Logs

Resky Ayu Dewi Talasari; Hudan Studiawan; Baskoro Adi Pratomo

doi:10.1109/ICOIACT64819.2024.10913014

Normality Shift Identification for Anomaly Detection of Windows Event Logs

Resky Ayu Dewi Talasari
, Hudan Studiawan
, Baskoro Adi Pratomo

Institut Teknologi Sepuluh Nopember

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Anomaly detection in network traffic is becoming increasingly difficult with increasing network complexity. Deep learning-based models, such as Autoencoder, are widely used to detect anomalies in normal data. However, when there is a shift in normality, these models fail to recognize new data patterns. This study highlights the importance of overcoming such challenges, particularly in Windows event logs, where changes in data distribution can cause anomaly detection failure. This study focuses on identifying normality shift in Windows event logs and overcomes the limitations of asymmetric Kullback-Leibler Divergence (KLD) using symmetric Jensen-Shannon Divergence (JSD) and Hellinger Distance (HD). The proposed method can measure distribution differences more evenly and accurately. The experimental results demonstrate that normality shift affect model performance. The performance of the anomaly detection model improved after testing the data distribution and filtering out outliers or anomalies that caused the distribution shift. KLD and JSD detect shift in the ranges of 0.0-0.2, 0.4-0.6, and 0.8-1.0. However, JSD detects less shift than KLD due to its symmetrical nature. The HD method more accurately detected shift after filtering because of its sensitivity to small differences in both distributions.

Original language	English
Title of host publication	2024 7th International Conference on Information and Communications Technology, ICOIACT 2024 - Proceeding
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	61-66
Number of pages	6
Edition	2024
ISBN (Electronic)	9798331536206
DOIs	https://doi.org/10.1109/ICOIACT64819.2024.10913014
Publication status	Published - 2024
Event	7th International Conference on Information and Communications Technology, ICOIACT 2024 - Hybrid, Ishikawa, Japan Duration: 20 Nov 2024 → 21 Nov 2024

Conference

Conference	7th International Conference on Information and Communications Technology, ICOIACT 2024
Country/Territory	Japan
City	Hybrid, Ishikawa
Period	20/11/24 → 21/11/24

Keywords

Anomaly Detection
Hellinger Distance (HD)
Jensen Shannon Divergence (JSD)
Kullback Leibrer Divergence (KLD)
Normality Shift
Windows Event Logs

Access to Document

10.1109/ICOIACT64819.2024.10913014

Cite this

Talasari, R. A. D., Studiawan, H., & Pratomo, B. A. (2024). Normality Shift Identification for Anomaly Detection of Windows Event Logs. In 2024 7th International Conference on Information and Communications Technology, ICOIACT 2024 - Proceeding (2024 ed., pp. 61-66). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICOIACT64819.2024.10913014

@inproceedings{56b4cc1060ed411b81ce0c5bd59eb4aa,

title = "Normality Shift Identification for Anomaly Detection of Windows Event Logs",

abstract = "Anomaly detection in network traffic is becoming increasingly difficult with increasing network complexity. Deep learning-based models, such as Autoencoder, are widely used to detect anomalies in normal data. However, when there is a shift in normality, these models fail to recognize new data patterns. This study highlights the importance of overcoming such challenges, particularly in Windows event logs, where changes in data distribution can cause anomaly detection failure. This study focuses on identifying normality shift in Windows event logs and overcomes the limitations of asymmetric Kullback-Leibler Divergence (KLD) using symmetric Jensen-Shannon Divergence (JSD) and Hellinger Distance (HD). The proposed method can measure distribution differences more evenly and accurately. The experimental results demonstrate that normality shift affect model performance. The performance of the anomaly detection model improved after testing the data distribution and filtering out outliers or anomalies that caused the distribution shift. KLD and JSD detect shift in the ranges of 0.0-0.2, 0.4-0.6, and 0.8-1.0. However, JSD detects less shift than KLD due to its symmetrical nature. The HD method more accurately detected shift after filtering because of its sensitivity to small differences in both distributions.",

keywords = "Anomaly Detection, Hellinger Distance (HD), Jensen Shannon Divergence (JSD), Kullback Leibrer Divergence (KLD), Normality Shift, Windows Event Logs",

author = "Talasari, \{Resky Ayu Dewi\} and Hudan Studiawan and Pratomo, \{Baskoro Adi\}",

note = "Publisher Copyright: {\textcopyright} 2024 IEEE.; 7th International Conference on Information and Communications Technology, ICOIACT 2024 ; Conference date: 20-11-2024 Through 21-11-2024",

year = "2024",

doi = "10.1109/ICOIACT64819.2024.10913014",

language = "English",

pages = "61--66",

booktitle = "2024 7th International Conference on Information and Communications Technology, ICOIACT 2024 - Proceeding",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

address = "United States",

edition = "2024",

}

Talasari, RAD, Studiawan, H & Pratomo, BA 2024, Normality Shift Identification for Anomaly Detection of Windows Event Logs. in 2024 7th International Conference on Information and Communications Technology, ICOIACT 2024 - Proceeding. 2024 edn, Institute of Electrical and Electronics Engineers Inc., pp. 61-66, 7th International Conference on Information and Communications Technology, ICOIACT 2024, Hybrid, Ishikawa, Japan, 20/11/24. https://doi.org/10.1109/ICOIACT64819.2024.10913014

Normality Shift Identification for Anomaly Detection of Windows Event Logs. / Talasari, Resky Ayu Dewi; Studiawan, Hudan ; Pratomo, Baskoro Adi.
2024 7th International Conference on Information and Communications Technology, ICOIACT 2024 - Proceeding. 2024. ed. Institute of Electrical and Electronics Engineers Inc., 2024. p. 61-66.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Normality Shift Identification for Anomaly Detection of Windows Event Logs

AU - Talasari, Resky Ayu Dewi

AU - Studiawan, Hudan

AU - Pratomo, Baskoro Adi

PY - 2024

Y1 - 2024

N2 - Anomaly detection in network traffic is becoming increasingly difficult with increasing network complexity. Deep learning-based models, such as Autoencoder, are widely used to detect anomalies in normal data. However, when there is a shift in normality, these models fail to recognize new data patterns. This study highlights the importance of overcoming such challenges, particularly in Windows event logs, where changes in data distribution can cause anomaly detection failure. This study focuses on identifying normality shift in Windows event logs and overcomes the limitations of asymmetric Kullback-Leibler Divergence (KLD) using symmetric Jensen-Shannon Divergence (JSD) and Hellinger Distance (HD). The proposed method can measure distribution differences more evenly and accurately. The experimental results demonstrate that normality shift affect model performance. The performance of the anomaly detection model improved after testing the data distribution and filtering out outliers or anomalies that caused the distribution shift. KLD and JSD detect shift in the ranges of 0.0-0.2, 0.4-0.6, and 0.8-1.0. However, JSD detects less shift than KLD due to its symmetrical nature. The HD method more accurately detected shift after filtering because of its sensitivity to small differences in both distributions.

AB - Anomaly detection in network traffic is becoming increasingly difficult with increasing network complexity. Deep learning-based models, such as Autoencoder, are widely used to detect anomalies in normal data. However, when there is a shift in normality, these models fail to recognize new data patterns. This study highlights the importance of overcoming such challenges, particularly in Windows event logs, where changes in data distribution can cause anomaly detection failure. This study focuses on identifying normality shift in Windows event logs and overcomes the limitations of asymmetric Kullback-Leibler Divergence (KLD) using symmetric Jensen-Shannon Divergence (JSD) and Hellinger Distance (HD). The proposed method can measure distribution differences more evenly and accurately. The experimental results demonstrate that normality shift affect model performance. The performance of the anomaly detection model improved after testing the data distribution and filtering out outliers or anomalies that caused the distribution shift. KLD and JSD detect shift in the ranges of 0.0-0.2, 0.4-0.6, and 0.8-1.0. However, JSD detects less shift than KLD due to its symmetrical nature. The HD method more accurately detected shift after filtering because of its sensitivity to small differences in both distributions.

KW - Anomaly Detection

KW - Hellinger Distance (HD)

KW - Jensen Shannon Divergence (JSD)

KW - Kullback Leibrer Divergence (KLD)

KW - Normality Shift

KW - Windows Event Logs

UR - https://www.scopus.com/pages/publications/105007781882

U2 - 10.1109/ICOIACT64819.2024.10913014

DO - 10.1109/ICOIACT64819.2024.10913014

M3 - Conference contribution

AN - SCOPUS:105007781882

SP - 61

EP - 66

BT - 2024 7th International Conference on Information and Communications Technology, ICOIACT 2024 - Proceeding

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 7th International Conference on Information and Communications Technology, ICOIACT 2024

Y2 - 20 November 2024 through 21 November 2024

ER -

Normality Shift Identification for Anomaly Detection of Windows Event Logs

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this