TY  - JOUR
T1  - A Featurization Method to Improve Anomaly Detection Performance Using Login Logs
AU  - Im, Sun-Young 
AU  - Kim, Sang-soo 
AU  - Shim, Shinwoo 
AU  - Koo, Sung-mo 
AU  - Cho, Byoungmo 
AU  - Kim, Kwangsoo 
AU  - Kim, Taekyu 
JO  - The Journal of Korean Institute of Communications and Information Sciences
PY  - 2022
DA  - 2022/1/15
DO  - 10.7840/kics.2022.47.1.58
KW  - Login Log
KW  - Anomaly Detection
KW  - Los Alamos
KW  - PyOD
KW  - ABOD
KW  - HBOS
KW  - IForest
KW  - KNN
KW  - LOF
KW  - OCSVM
AB  - Anomaly login detection is an essential element for protecting corporate data and building a secure system. When an attacker enters the correct password and successfully logs in to the server, the attacker begins looking for meaningful information in the system. At this time, by detecting anomaly login behavior of the account and restricting or revoking the privileges of the account, system loss can be reduced. In this study, a data preprocessing method was studied to improve the anomaly login detection performance by using the login log. We generated frequency headers for each event by calculating the number of times the same event repeats based on the source user, source domain, source computer, destination user, destination domain, destination computer, authentication type, logon type, authentication_orientation, and login success/failure. And one-hot encoding was performed on the data of the source user, destination user, authentication type, logon type, and frequency header. After encoding, 6 anomaly detection algorithms (ABOD, HBOS, IForest, KNN, LOF, OCSVM) were applied to compare before and after applying the proposed method, and the AUC was 43% or more (up to 50%), and the TPR was 86% or more. (up to 93%) performance was improved.