A Graph Embedding Approach to User Behavior Anomaly Detection

Identifying suspicious user behavior within an enterprise network is vital to maintaining strong cyber security defenses. This paper presents a scalable approach to detecting anomalous user behavior in event logs, which we frame as a dynamic, bipartite interaction network of users and resources. Graph embedding is used to obtain vector representations of users, which are updated over time and used to model the profile of the users who typically access each resource. A standard nearest neighbor anomaly detection method is then employed to score new interactions. The approach is applied to a dataset of interaction events between users and SharePoint sites within Microsoft’s internal corporate network.