An Abnormal Login Detection Method Based on Multi-source Log Fusion Analysis

Anomaly login detection is a critical step towards building a secure and trustworthy system. When a new user appears in the login record, the traditional method determines that an anomaly behavior of login has occurred. However, in fact, the first login subject may be a new employee other than the attacker. In this paper, we propose an asynchronous anomaly login detection algorithm model of "Off-line Learning + On-line detection" to solve the real-time anomaly login detection problem. In addition, based on the analysis of multi-source logs, we extract the operating features of users to solve the problem of how to distinguish malicious users from legitimate users who log on to the host for the first time. Extensive experimental evaluations over large log data have shown that our algorithm can not only catch the first abnormal account effectively but also reduce the running time by tens of times compared with K-means and other cluster algorithms