Using Consensus Clustering for Multi-view Anomaly Detection

This paper presents work on automatically characterizing typical user activities across multiple sources (or views) of data, as well as finding anomalous users who engage in unusual combinations of activities across different views of data. This approach can be used to detect malicious insiders who may abuse their privileged access to systems in order to accomplish goals that are detrimental to the organizations that grant those privileges. To avoid detection, these malicious insiders want to appear as normal as possible with respect to the activities of other users with similar privileges and tasks. Therefore, given a single type or view of audit data, the activities of the malicious insider may appear normal. An anomaly may only be apparent when analyzing multiple sources of data. We propose and test domain-independent methods that combine consensus clustering and anomaly detection techniques. We benchmark the efficacy of these methods on simulated insider threat data. Experimental results show that combining anomaly detection and consensus clustering produces more accurate results than sequentially performing the two tasks independently.