Time Series Based Pattern Recognition for Anomaly Detection from System Audit Logs

Pattern recognition is very important for the identification of anomalous patterns in log messages. This paper presents pattern recognition in time series log data for anomaly detection. The proposed method uses Seasonal Auto Regression Integrated Moving Average (Seasonal ARIMA) to identify deviations between actual and predicted values. The deviations beyond a defined threshold are identified as anomalous data points. Anomalous data points for the positively correlated data points are used to calculate the composite anomalous score. Finally, the approach is compared with Seasonal Extreme Studentized Deviate (ESD). The method calculates the anomalous score in the range of 0 to 100. This can be used to understand the security risk posture and thus prioritize the incidents associated with a given user.