A Study of Data Fusion for Predicting Novel Activity in Enterprise Cyber-Security

Modern computer networks allow for the collection of vast amounts of data. A wide variety of sources record data relating to different aspects of computer and network activity. This wealth of available data, coupled with the persistent rise in successful cyber-security breaches, motivates the need for data-driven approaches to complement existing cyber-defence systems. Although obtainable, most of this data remains unexploited due to issues of data collection and privacy concerns. The majority of research has therefore been constrained to utilise limited data sets, usually obtained from only one of the many available data sources. We use a recently assembled public domain data set, which associates data from multiple sources in a real-world enterprise computer network, to demonstrate the advantages of data and entity fusion for cyber-security. We formulate an anomaly detection task employing time-delayed labels, which enables the use of supervised learning as a means of predicting novel activity. Our results show that an appropriate fusion of data from multiple sources and entities improves predictive accuracy.