Abstract: A method detects intrusions in an audit log including records of user sessions with activity features and a user label of a claimed user of the user session. Probabilities that a user session belongs to a user are predicted. A probability is predicted for each combination of a user and a user session of the audit log based on the activity features of the user sessions. A user group including users with similar activity features is constructed based on the predicted probabilities. An anomaly score for a user session of the audit log and a claimed user of the user session belonging to the user group is determined based on a probability that the user session belongs to the user group. An intrusion is detected if the anomaly score of the user session and the claimed user exceeds a predetermined threshold.

Abstract: A method and system for intrusion detection to detect malicious insider threat activities within a network user profiles. The method includes determining a behavior pattern for each user profile based on activity events, wherein the determination of the behavior pattern is executed by a Recurrent Neural Network. The method includes determining normal activity events and abnormal activity events for each user profile based on the behavior patterns, wherein the determination of the normal activity events and the abnormal activity events is executed by a Feed-Forward Neural Network. The method includes evaluating whether a recorded activity event is a normal activity event or an abnormal activity event based on the behavior pattern and the determined normal activity events and abnormal events for that user profile. The method includes detecting malicious activity for the user profile, if the recorded activity event is evaluated as an abnormal activity event.

Abstract: A method and system for intrusion detection to detect malicious insider threat activities within a network of user profiles. The method includes training a Neural Network on multiple sets of user profile data for multiple user profiles and on multiple sets of activity data of the multiple user profiles of the network, such that the Neural Network is capable of predicting for future dates activities for multiple user profiles. The method includes applying the trained Neural Network on the set of further user profile data of the further user profile, predicting an activity of the further user profile based on the multiple sets of activity data by the trained Neural Network, observing activity of the further user profile, applying the trained Neural Network on the observed activity, and detecting malicious activity for the further user profile by the trained Neural Network, if the observed activity deviates from the predicted activity.

Abstract: A method detects intrusions in an audit log including records of user sessions with activity features and a user label of a claimed user of the user session. Probabilities that a user session belongs to a user are predicted. A probability is predicted for each combination of a user and a user session of the audit log based on the activity features of the user sessions. A user group including users with similar activity features is constructed based on the predicted probabilities. An anomaly score for a user session of the audit log and a claimed user of the user session belonging to the user group is determined based on a probability that the user session belongs to the user group. An intrusion is detected if the anomaly score of the user session and the claimed user exceeds a predetermined threshold.