Evaluation of pAUC Maximization Method for Detecting Malicious Logs by Analyzing Proxy Logs from Corporate Network

Abstract

Malware has been the primary cyber threat for years. To mitigate the damage caused by malware infection, network logs are analyzed to quickly detect malicious activities and block malicious communications. This paper considers a binary classification task for classifying network logs as malicious or benign. When evaluating the classification performance of the above task, previous studies have used the area under the curve (AUC) since actual network logs are imbalanced data that contain fewer malicious logs than benign logs. However, in actual network operation, the AUC in a low false positive rate (FPR), i.e., partial AUC (pAUC), is important since false positives will impose a heavy burden on network operators. In this paper, we describe the theoretical formulation and the method that maximizes the pAUC. We also demonstrate the effectiveness of pAUC maximization methods after comparing it with conventional supervised learning methods with proxy logs from a corporate network.