Threat hunting is sifting through system logs to detect malicious activities
that might have bypassed existing security measures. It can be performed in
several ways, one of which is based on detecting anomalies. We propose an
unsupervised framework, called continuous bag-of-terms-and-time (CBoTT), and
publish its application programming interface (API) to help researchers and
cybersecurity analysts perform anomaly-based threat hunting among SIEM logs
geared toward process auditing on endpoint devices. Analyses show that our
framework consistently outperforms benchmark approaches. When logs are sorted
by likelihood of being an anomaly (from most likely to least), our approach
identifies anomalies at higher percentiles (between 1.82-6.46) while benchmark
approaches identify the same anomalies at lower percentiles (between
3.25-80.92). This framework can be used by other researchers to conduct
benchmark analyses and cybersecurity analysts to find anomalies in SIEM logs.

通过检测系统日志中的异常行为来进行威胁搜寻已成为一种关键的安全措施。本文提出了一种无监督的框架，连续词袋和时间（CBoTT），并公开其应用程序接口（API），帮助研究人员和网络安全分析员在面向端点设备的 SIEM 日志中执行基于异常的威胁搜寻。分析结果表明，我们的框架始终优于基准方法。当按照可能是异常的可能性对日志进行排序时，我们的方法在更高的百分位数（介于 1.82-6.46 之间）上识别异常，而基准方法在较低的百分位数（介于 3.25-80.92 之间）上识别相同的异常。其他研究人员可以使用该框架进行基准分析，并帮助网络安全分析员发现 SIEM 日志中的异常行为。