Scalable Data Processing Approach and Anomaly Detection Method for User and Entity Behavior Analytics Platform

Abstract

User and entity behavior analytics (UEBA) is a popular and modern way of finding security threats in corporate infrastructure. Anomaly detection in data allows detecting incidents which cannot be detected by other methods including rules in classical SIEM systems. But there are several problems requiring the development of scalable software and analytical methods which can handle thousands of events per second. The paper describes approaches for processing semi-structured data from different sources for further analytics using anomaly detection methods. The new method of building features from hybrid data streams from different SIEM sources has been introduced. The paper also contains a study of efficiency and scalability of the developed approach.