Detecting Stolen Credential Use in AWS CloudTrail Logs with a Graph Conditional Probability Model

This talk will present a new technique we call "novelty detection" that uses a conditional probability graph on the freely available "Quine" streaming graph to detect novel credential use behaviors in AWS Cloudtrail logs. This technique natively uses the categorical data available in AWS CloudTrail logs, instead of the traditional one-hot encoding (or other encodings), and makes use of context to accurately score events never seen before. The end result is a live stream of real-time explanations and "novelty scores" that provide a total-ordering of how unusual each observation is compared to all data seen so far. This unsupervised approach requires no training or data labeling, is very fast, and incredibly accurate producing actionable results and avoiding false positives.


  • Michael Aglietti,  Dir. Developer Relations at Dot, Inc.