Automated analysis methods are crucial aids for monitoring and defending a network to protect the sensitive or confidential data it hosts. This work introduces a flexible, powerful, and unsupervised approach to detecting anomalous behavior in computer and network logs; one that largely eliminates domain-dependent feature engineering employed by existing methods. By treating system logs as threads of interleaved sentences'' (event log lines) to train online unsupervised neural network language models, our approach provides an adaptive model of normal network behavior. We compare the effectiveness of both standard and bidirectional recurrent neural network language models at detecting malicious activity within network log data. Extending these models, we introduce a tiered recurrent architecture, which provides context by modeling sequences of users' actions over time. Compared to Isolation Forest and Principal Components Analysis, two popular anomaly detection algorithms, we observe superior performance on the Los Alamos National Laboratory Cyber Security dataset. For log-line-level red team detection, our best performing character-based model provides test set area under the receiver operator characteristic curve of 0.98, demonstrating the strong fine-grained anomaly detection performance of this approach on open vocabulary logging sources.

The design of real-world automated control systems that do everything from regulating the temperature of skyscrapers to running the widget-making machine in the widget factory down the street requires expertise in sophisticated physics-based modeling. The need for this modeling expertise increases operational costs and restricts the applicability of automated control to systems in which marginal operational performance improvements lead to huge economic benefits, according to data scientists. With unlimited access to supercomputers and mountains of data, engineers can train artificial intelligence systems such as deep neural networks, a type of machine learning model, to perform automated control. But many people lack access to the necessary computational power to do so, or the ability to generate the amount of data needed to train a controller that has a deep neural network. What's more, these types of deep neural networks are so-called black-box models, which means that the factors they use to make decisions are hidden from the end user.