With exponentially increasing cybersecurity threats, the global digital infrastructure must respond to unprecedented challenges; more advanced analysis approaches are required to identify threat patterns and anomalous behavior. This work proposes a comprehensive unsupervised learning framework that can cluster and perform anomaly detection for cyber-incident data from around the world between 2015 and 2024. Three complementary approaches are used in our methodology, and we have used K-Means to cluster incident patterns, then DBSCAN for DBSCAN-based cluster analysis, and finally Isolation Forest to detect anomalies. In this study, a comprehensive dataset of cyber incidents is analyzed with their (non-mutually exclusive) features, such as targeted industry, type of attack, impact, affected users and geography. The reduction in dimensionality and visualization of the clustering results in the two-dimensional space were achieved by Principal Component Analysis (PCA). The K-means analysis shows that our findings can be grouped into four (4) clusters, and four (4) core incident patterns are identified but flagged as noise by DBSCAN. The Isolation Forest algorithm effectively identified high-impact anomalous incidents with anomaly scores between 0.46 and 0.62. Our performance evaluation shows that the clustered results for the Isolation Forest (89% silhouette score, 87% anomaly precision) outperform those of traditional clustering methods. By offering automated tools for threat categorization, pattern recognition, and early warning systems to anomalous cyber activities suggesting potential sophisticated or emerging attack vectors, the research adds to both the field of cybersecurity intelligence and to various applications.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Unsupervised Pattern Discovery in Cyber Incidents Using Principal Component Analysis K-Means DBSCAN and Isolation Forest

  • Ananjan Maiti,
  • Rupak Chakraborty,
  • Dipankar Basu,
  • Indranil Sarkar,
  • Arpita Dutta

摘要

With exponentially increasing cybersecurity threats, the global digital infrastructure must respond to unprecedented challenges; more advanced analysis approaches are required to identify threat patterns and anomalous behavior. This work proposes a comprehensive unsupervised learning framework that can cluster and perform anomaly detection for cyber-incident data from around the world between 2015 and 2024. Three complementary approaches are used in our methodology, and we have used K-Means to cluster incident patterns, then DBSCAN for DBSCAN-based cluster analysis, and finally Isolation Forest to detect anomalies. In this study, a comprehensive dataset of cyber incidents is analyzed with their (non-mutually exclusive) features, such as targeted industry, type of attack, impact, affected users and geography. The reduction in dimensionality and visualization of the clustering results in the two-dimensional space were achieved by Principal Component Analysis (PCA). The K-means analysis shows that our findings can be grouped into four (4) clusters, and four (4) core incident patterns are identified but flagged as noise by DBSCAN. The Isolation Forest algorithm effectively identified high-impact anomalous incidents with anomaly scores between 0.46 and 0.62. Our performance evaluation shows that the clustered results for the Isolation Forest (89% silhouette score, 87% anomaly precision) outperform those of traditional clustering methods. By offering automated tools for threat categorization, pattern recognition, and early warning systems to anomalous cyber activities suggesting potential sophisticated or emerging attack vectors, the research adds to both the field of cybersecurity intelligence and to various applications.