The cyber security industry is rapidly adopting threat hunting as a proactive tool for early and faster detection of suspected malicious actors. In this paper, we propose a machine learning-based method, Unsupervised Hunting of Anomalous Commands (UHAC), to detect text-based anomalous commands in security information and event management (SIEM) logs that are good candidates for threat hunting. A unique feature of the proposed method is that it first creates a feature set based on the augmentation of document-term and document-character matrices. Then, an autoencoder-based detector is trained on this feature set using a custom loss function. UHAC consistently outperforms other feature sets and algorithms such as one-class support vector machine, density-based spatial clustering of applications with noise, and word-embedding based models such as word2vec. The UHAC detector identifies 84–89% of anomalies in the top 10% of the data. Findings have implications for cybersecurity analysts who perform threat hunting in SIEM logs for process auditing on endpoint devices.

网络安全行业正在迅速采用威胁搜寻作为一种主动工具，以便及早和更快地检测可疑的恶意行为者。在本文中，我们提出了一种基于机器学习的方法，即异常命令的无监督搜寻 (UHAC)，以检测安全信息和事件管理 (SIEM) 日志中基于文本的异常命令，这些是威胁搜寻的良好候选者。所提出方法的一个独特之处在于，它首先基于文档术语和文档字符矩阵的扩充创建一个特征集。然后，使用自定义损失函数在该特征集上训练基于自动编码器的检测器。UHAC 始终优于其他功能集和算法，例如一类支持向量机，基于密度的噪声应用程序空间聚类，以及基于词嵌入的模型，如word2vec 。UHAC 检测器识别出前 10% 数据中 84–89% 的异常。调查结果对网络安全分析师有影响，他们在 SIEM 日志中执行威胁搜寻以对端点设备进行流程审核。