{"id":"https://openalex.org/W4400233968","doi":"https://doi.org/10.1109/noms59830.2024.10575561","title":"Anomaly Detection in Security Logs using Sequence Modeling","display_name":"Anomaly Detection in Security Logs using Sequence Modeling","publication_year":2024,"publication_date":"2024-05-06","ids":{"openalex":"https://openalex.org/W4400233968","doi":"https://doi.org/10.1109/noms59830.2024.10575561"},"language":"en","primary_location":{"id":"doi:10.1109/noms59830.2024.10575561","is_oa":false,"landing_page_url":"https://doi.org/10.1109/noms59830.2024.10575561","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"NOMS 2024-2024 IEEE Network Operations and Management Symposium","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5099842884","display_name":"Simon G\u00f6kstorp","orcid":null},"institutions":[{"id":"https://openalex.org/I86987016","display_name":"KTH Royal Institute of Technology","ror":"https://ror.org/026vcq606","country_code":"SE","type":"education","lineage":["https://openalex.org/I86987016"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Simon G\u00f6kstorp","raw_affiliation_strings":["KTH Royal Institute of Technology,Division of Network and Systems Engineering,Stockholm,Sweden"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"KTH Royal Institute of Technology,Division of Network and Systems Engineering,Stockholm,Sweden","institution_ids":["https://openalex.org/I86987016"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5063844844","display_name":"Jakob Nyberg","orcid":null},"institutions":[{"id":"https://openalex.org/I86987016","display_name":"KTH Royal Institute of Technology","ror":"https://ror.org/026vcq606","country_code":"SE","type":"education","lineage":["https://openalex.org/I86987016"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Jakob Nyberg","raw_affiliation_strings":["KTH Royal Institute of Technology,Division of Network and Systems Engineering,Stockholm,Sweden"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"KTH Royal Institute of Technology,Division of Network and Systems Engineering,Stockholm,Sweden","institution_ids":["https://openalex.org/I86987016"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5077076300","display_name":"Yeongwoo Kim","orcid":"https://orcid.org/0009-0002-6228-9332"},"institutions":[{"id":"https://openalex.org/I86987016","display_name":"KTH Royal Institute of Technology","ror":"https://ror.org/026vcq606","country_code":"SE","type":"education","lineage":["https://openalex.org/I86987016"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Yeongwoo Kim","raw_affiliation_strings":["KTH Royal Institute of Technology,Division of Network and Systems Engineering,Stockholm,Sweden"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"KTH Royal Institute of Technology,Division of Network and Systems Engineering,Stockholm,Sweden","institution_ids":["https://openalex.org/I86987016"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5001314969","display_name":"Pontus Johnson","orcid":"https://orcid.org/0000-0002-3293-1681"},"institutions":[{"id":"https://openalex.org/I86987016","display_name":"KTH Royal Institute of Technology","ror":"https://ror.org/026vcq606","country_code":"SE","type":"education","lineage":["https://openalex.org/I86987016"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Pontus Johnson","raw_affiliation_strings":["KTH Royal Institute of Technology,Division of Network and Systems Engineering,Stockholm,Sweden"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"KTH Royal Institute of Technology,Division of Network and Systems Engineering,Stockholm,Sweden","institution_ids":["https://openalex.org/I86987016"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5086721943","display_name":"Gy\u00f6rgy D\u00e1n","orcid":"https://orcid.org/0000-0002-4876-0223"},"institutions":[{"id":"https://openalex.org/I86987016","display_name":"KTH Royal Institute of Technology","ror":"https://ror.org/026vcq606","country_code":"SE","type":"education","lineage":["https://openalex.org/I86987016"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Gy\u00f6rgy D\u00e1n","raw_affiliation_strings":["KTH Royal Institute of Technology,Division of Network and Systems Engineering,Stockholm,Sweden"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"KTH Royal Institute of Technology,Division of Network and Systems Engineering,Stockholm,Sweden","institution_ids":["https://openalex.org/I86987016"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":1,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I86987016"],"apc_list":null,"apc_paid":null,"fwci":1.8376,"has_fulltext":false,"cited_by_count":6,"citation_normalized_percentile":{"value":0.86045977,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":98,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"9"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9772999882698059,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9772999882698059,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.6803723573684692},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5945372581481934},{"id":"https://openalex.org/keywords/sequence","display_name":"Sequence (biology)","score":0.5622485280036926},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.3593924641609192},{"id":"https://openalex.org/keywords/data-mining","display_name":"Data mining","score":0.3530037999153137},{"id":"https://openalex.org/keywords/pattern-recognition","display_name":"Pattern recognition (psychology)","score":0.3319918215274811},{"id":"https://openalex.org/keywords/chemistry","display_name":"Chemistry","score":0.07445278763771057}],"concepts":[{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.6803723573684692},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5945372581481934},{"id":"https://openalex.org/C2778112365","wikidata":"https://www.wikidata.org/wiki/Q3511065","display_name":"Sequence (biology)","level":2,"score":0.5622485280036926},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.3593924641609192},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3530037999153137},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.3319918215274811},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.07445278763771057},{"id":"https://openalex.org/C55493867","wikidata":"https://www.wikidata.org/wiki/Q7094","display_name":"Biochemistry","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/noms59830.2024.10575561","is_oa":false,"landing_page_url":"https://doi.org/10.1109/noms59830.2024.10575561","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"NOMS 2024-2024 IEEE Network Operations and Management Symposium","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":28,"referenced_works":["https://openalex.org/W433644524","https://openalex.org/W1522301498","https://openalex.org/W2005221715","https://openalex.org/W2064675550","https://openalex.org/W2476891002","https://openalex.org/W2889165715","https://openalex.org/W2896457183","https://openalex.org/W2914304175","https://openalex.org/W2926701059","https://openalex.org/W2938337762","https://openalex.org/W2958285686","https://openalex.org/W2964304846","https://openalex.org/W3043486047","https://openalex.org/W3188369116","https://openalex.org/W3199174176","https://openalex.org/W3208655822","https://openalex.org/W4214699222","https://openalex.org/W4283067758","https://openalex.org/W4295312788","https://openalex.org/W4307042912","https://openalex.org/W4385080331","https://openalex.org/W4385245566","https://openalex.org/W4385605314","https://openalex.org/W6631190155","https://openalex.org/W6746340649","https://openalex.org/W6755207826","https://openalex.org/W6766978945","https://openalex.org/W6778883912"],"related_works":["https://openalex.org/W2105642232","https://openalex.org/W3197833032","https://openalex.org/W4386081464","https://openalex.org/W3207332793","https://openalex.org/W2499612753","https://openalex.org/W3113278055","https://openalex.org/W2750709484","https://openalex.org/W4296474495","https://openalex.org/W2033914206","https://openalex.org/W2042327336"],"abstract_inverted_index":{"As":[0],"cyberattacks":[1],"are":[2,12],"becoming":[3,13],"more":[4],"sophisticated,":[5],"automated":[6],"activity":[7,159],"logging":[8],"and":[9,66,98,103,137,183,210],"anomaly":[10,75,120,143,218],"detection":[11,76,121,144],"important":[14],"tools":[15],"for":[16,119,217],"defending":[17],"computer":[18],"systems.":[19],"Recent":[20],"deep":[21],"learning-based":[22],"approaches":[23,73,155,216],"have":[24],"demonstrated":[25],"promising":[26],"results":[27],"in":[28,77,122,127,160,206],"cybersecurity":[29,208],"contexts,":[30],"typically":[31],"using":[32],"supervised":[33],"learning":[34,43,135],"combined":[35],"with":[36],"large":[37,89],"amounts":[38],"of":[39,51,188,196,214],"labeled":[40,59],"data.":[41],"Self-supervised":[42],"has":[44],"seen":[45],"growing":[46],"interest":[47],"as":[48],"a":[49,207],"method":[50],"training":[52,60,102],"models":[53,201],"because":[54],"it":[55],"does":[56],"not":[57],"require":[58],"data,":[61],"which":[62],"can":[63],"be":[64],"difficult":[65],"expensive":[67,99],"to":[68,74,129,141,181,202],"collect.":[69],"However,":[70],"existing":[71],"self-supervised":[72,115,199],"user":[78,123,203],"authentication":[79,124,166,204],"logs":[80],"either":[81],"suffer":[82],"from":[83,179],"low":[84],"precision":[85,187],"or":[86],"rely":[87],"on":[88,106],"pre-trained":[90],"natural":[91],"language":[92],"models.":[93],"This":[94],"makes":[95],"them":[96],"slow":[97],"both":[100],"during":[101],"inference.":[104],"Building":[105],"previous":[107,150],"works,":[108],"we":[109],"therefore":[110],"propose":[111],"an":[112,130,185],"end-to-end":[113,197],"trained":[114,198],"transformer-based":[116,215],"sequence":[117],"model":[118,148],"events.":[125],"Thanks":[126],"part":[128],"adapted":[131],"masked-language":[132],"modeling":[133],"(MLM)":[134],"task":[136],"domain":[138],"knowledge-based":[139],"improvements":[140],"the":[142,161,170,173,193,212],"method,":[145],"our":[146],"proposed":[147],"outperforms":[149],"long":[151],"short-term":[152],"memory":[153],"(LSTM)-based":[154],"at":[156],"detecting":[157],"red-team":[158],"\"Comprehensive,":[162],"Multi-Source":[163],"Cyber-Security":[164],"Events\"":[165],"event":[167],"dataset,":[168],"improving":[169],"area":[171],"under":[172],"receiver":[174],"operating":[175],"characteristic":[176],"curve":[177],"(AUC)":[178],"0.9760":[180],"0.9989":[182],"achieving":[184],"average":[186],"0.0410.":[189],"Our":[190],"work":[191],"presents":[192],"first":[194],"application":[195],"transformer":[200],"data":[205],"context,":[209],"demonstrates":[211],"potential":[213],"detection.":[219]},"counts_by_year":[{"year":2025,"cited_by_count":6}],"updated_date":"2026-06-26T08:34:08.712188","created_date":"2025-10-10T00:00:00"}