Detecting Cyber Intrusions with Sequence Models and Event Windows

Описание: Detecting cyber intrusions with sequence models starts by treating security telemetry as a time-ordered event stream—each record has a timestamp, host, event type, and numeric context like severity, outbound bytes, destination entropy, and whether the user is admin. Because real incident data is proprietary, the example generates synthetic “realistic-ish” host logs where most activity is normal but some hosts include an intrusion interval that follows a recognizable attack progression (port scan → repeated login failures → success/process start → privilege change → data exfil). The stream is converted into fixed-length sliding “event windows” per host (for example, 40 events with a stride of 10) so the model can learn patterns over sequences rather than single rows. Each window is labeled as attack or normal based on whether it overlaps the simulated attack interval, giving supervised training targets. Features are built by one-hot encoding the categorical event tokens and scaling numeric fields per host to reduce baseline differences across machines. A GRU sequence classifier is trained with class-imbalance handling (positive-class weighting), and predictions are turned into probabilities that can be thresholded into SOC-style alerts. The workflow emphasizes a time-based split to avoid leakage, but it also shows a common pitfall: if the test set ends up with only one class, ROC-AUC becomes undefined and returns NaN even if training loss drops. Alerts are then summarized in a triage table containing host, window time range, predicted intrusion probability, the alert flag, and ground-truth, which mirrors what analysts would review. To make detections explainable, the example adds a Transformer variant for attention-based timestep importance and also includes gradient-based saliency to identify which event types most influenced a score, plus a practical “counts vs baseline” explanation that highlights what changed inside a flagged window. Finally, it demonstrates how to swap between PyTorch and TensorFlow implementations and suggests operational visualizations like score distributions, host risk rankings, and a host-by-time probability heatmap for monitoring.