TLDR: FLAGUS is a novel cybersecurity framework designed to detect Advanced Persistent Threats (APTs) in environments with scarce labeled data. It combines an Attention-based Adversarial Dual AutoEncoder (ADAEN) with active learning and GAN-based data augmentation. This allows FLAGUS to iteratively improve its anomaly detection accuracy by selectively querying human experts for labels on uncertain samples and generating synthetic data, significantly reducing reliance on extensive manual labeling. Evaluated on DARPA datasets, FLAGUS consistently outperformed existing methods in ranking APTs across various operating systems and attack scenarios.
Cybersecurity faces a formidable adversary in Advanced Persistent Threats (APTs). These sophisticated attacks are stealthy, long-lasting, and incredibly difficult to detect using traditional methods. Unlike common viruses, APTs blend into normal network activities, using legitimate credentials and advanced techniques to remain hidden for extended periods, targeting critical infrastructure and sensitive data. Notable examples like Stuxnet and Pegasus highlight the severe risks posed by these threats.
A significant challenge in combating APTs is the scarcity of labeled data. Traditional machine learning models require vast amounts of labeled examples to learn, but in the real world, instances of APTs are rare, making up a tiny fraction of overall network data. This imbalance leads to high false-positive rates, overwhelming security teams with irrelevant alerts.
To address these critical issues, researchers Sidahmed Benabderrahmane and Talal Rahwan from New York University and NYUAD have introduced a novel framework called FLAGUS. This innovative system combines several advanced techniques to enhance anomaly detection for APTs, even with minimal labeled data. FLAGUS integrates an Attention-based Adversarial Dual AutoEncoder (ADAEN), active learning, and Generative Adversarial Networks (GANs).
How FLAGUS Works
At its core, FLAGUS uses an ADAEN AutoEncoder, a type of neural network designed to learn the patterns of normal system behavior. When data deviates from these learned patterns, the AutoEncoder produces a high ‘reconstruction error,’ signaling a potential anomaly. The ADAEN is enhanced with a dual AutoEncoder structure and an attention mechanism. The dual structure allows it to capture different, complementary representations of data, while adversarial training ensures high-quality reconstructions. The attention mechanism helps the model focus on the most critical features, improving its ability to identify subtle malicious behaviors.
One of FLAGUS’s most powerful features is its active learning component. Instead of requiring a large, pre-labeled dataset, active learning allows the model to iteratively improve by selectively querying a human expert (an ‘oracle’) to label only the most uncertain or ambiguous data samples. These are typically data points that the model struggles to classify, often those with reconstruction errors close to the anomaly detection threshold. By focusing on these ‘informative’ samples, FLAGUS significantly reduces the need for extensive manual labeling, making the process more efficient and cost-effective.
Furthermore, FLAGUS employs Generative Adversarial Networks (GANs) to augment the dataset. Once uncertain samples are labeled as normal, the GAN generates realistic synthetic data that mimics the distribution of these newly labeled normal samples. This synthetic data, combined with the real labeled samples, is then used to retrain and refine the AutoEncoder, further enhancing its ability to distinguish between normal and anomalous activities. This iterative process of querying, labeling, augmenting, and retraining allows FLAGUS to progressively improve its detection accuracy over time.
Also Read:
- ADClick: Accelerating Anomaly Detection with Smart Labeling
- WebProber: AI Agents Enhance Web Usability Testing
Real-World Evaluation
The effectiveness of FLAGUS was rigorously tested on 40 real-world, imbalanced provenance trace datasets from the DARPA Transparent Computing program. These datasets cover multiple operating systems, including Android, Linux, BSD, and Windows, and two distinct attack scenarios (Pandex and Bovia). APT-like attacks in these datasets account for as little as 0.004% of the data, highlighting the extreme class imbalance FLAGUS is designed to handle.
Given the rarity of APTs, traditional accuracy metrics can be misleading. Therefore, FLAGUS’s performance was evaluated using the Normalized Discounted Cumulative Gain (nDCG), a metric that measures how well anomalies are ranked. A higher nDCG score indicates that the model effectively prioritizes high-risk events, which is crucial for security operations centers (SOCs) that need to review the most severe threats first.
The results demonstrated that FLAGUS consistently achieved superior nDCG scores across all operating systems and attack scenarios, significantly outperforming nine state-of-the-art anomaly detection methods. For instance, in complex scenarios like BSD Bovia, FLAGUS achieved an nDCG of 0.98, far exceeding competitors. The active learning loop proved instrumental, showing substantial improvements in detection rates and ranking accuracy as the model iteratively refined its understanding of normal and anomalous behaviors.
FLAGUS represents a significant step forward in data-efficient anomaly detection for complex cyber environments. Its ability to learn effectively with minimal labeled data and adapt to evolving threats makes it a promising solution for protecting critical systems against Advanced Persistent Threats. For more details, you can refer to the original research paper: Adversarial Augmentation and Active Sampling for Robust Cyber Anomaly Detection.
