Jack Nicholls

Today, the frequency and scale of cyber-attacks and cyber fraud are increasing every year. Incidents related to cybercrime are becoming more sophisticated, complex and multi-faceted. For example, cybercrimes are relying on tools, procedures/process already installed on the system for their attack campaigns because these tools/procedures are normally used by administrators, directors and security analysts for legitimate purposes for their routine tasks. On the defensive side, the detection of patterns that differ from typical behaviour is utterly important to detect new threats or fraud patterns. This requirement has been satisfied by using popular machine learning-based algorithms that are capable of detecting point anomalies. However, many of such approaches cannot detect a variety of different deviations that are evident in group datasets. For example, the activity of a domain admin on a machine can be similar to a cybercrime’s activity confusing any point anomaly detectors. Identifying attacker activities, in this case, require more specialised techniques for robustly differentiating such behaviour. On the other hand, Group Anomaly Detection aims to identify groups that deviate from the regular group pattern. Generally, a group consists of a collection of two or more points and group behaviour could be described by a greater number of observations. Group Anomaly Detection has been studied in various domains to find group anomalies where point-wise methods failed. Recently, Group Anomaly Detection has been applied in cyber security with simple Deep Learning (DL) models such as Adversarial Autoencoder to detect targeted cybercrimes who hide their activity. However, such simple DL models are still limited in detecting sophisticated activities in cyber systems. Hence, in this research, we are looking at developing a new Deep Learning model for Group Anomaly Detection for cyber systems with the existing of sophisticated activities such as multiple attack groups, new cyber-fraud patterns. This new Deep Learning model should have a capable of multi- class classifier. The new model will be evaluated with both open-source datasets and real-world datasets from cyber security industry.