A Graph-based Framework for Reducing False Positives in Authentication Alerts in Security Systems

The high false positive (FP) rate of authentication alerts remains to be a prominent challenge in cybersecurity nowadays. We identify two problems that cause this issue, which are unaddressed in existing learning-based anomaly detection methods. First, in industrial applications, ground-truth labels for malicious authentication events are extremely scarce. Therefore, learning-based methods must optimize their procedures for auto-generating high-quality training instances, an aspect that existing works have overlooked. Second, every existing model is based on a single form of data representation, either stream or graph snapshot, which may not be expressive enough to identify heterogeneity in behaviors of networked entities. This results in misclassifying a legitimate but differently-behaved authentication event into an anomalous one. We address these problems by proposing a new framework based on self-supervised link prediction on dynamic authentication networks, with two highlighted features: (1) our framework is based on the unification of two most popular views of dynamic interconnected systems: graph snapshots and link stream, ensuring the best coverage of behavioral heterogeneity; (2) to generate high-quality training samples, we propose a carefully designed negative sampling procedure called filtered rewiring, to ensure that the negative samples used for training are both truly negative and instructive. We validate our framework on 4 months of authentication data of 125 randomly selected, real organizations that subscribe to Microsoft’s defense services.