๐ค AI Summary
This work addresses the high false positive rates and limited adaptability of traditional rule-based or static anomaly detection methods in cloud security logs, which struggle to capture the dynamic evolution of organizational behavior. The authors propose a self-supervised graph neural network approach that constructs userโresource interaction graphs from AWS CloudTrail logs to generate dynamic anomaly scores for each event. This method continuously adapts to environmental changes without requiring manual rule updates or frequent model retraining. Evaluated across five real-world organizations, the approach reduces hourly alerts from thousands to approximately one while maintaining high detection efficacy, substantially alleviating analyst workload and demonstrating strong practicality and adaptability in dynamic cloud environments.
๐ Abstract
Detecting security threats in an organization's cloud computing environment has become necessary due to the increased reliance on cloud infrastructure. Logging of all cloud computing events enables investigation into any incidents after they are detected. Automated detection of threats using the logs based on heuristics or anomaly detection could result in a high false positive rate due to its relatively static nature. In this article, we present an industrial case study of a self-supervised learning method using graph neural networks applied to AWS CloudTrail logs to surface suspicious events for analyst review. The model produces an anomaly score for each event and dynamically adapts to changes in the organization without requiring periodic retraining. Based on our experiments across five organizations, the proposed model produced substantially fewer alerts than a domain expert rule-based baseline in almost all cases, reducing alert volumes to approximately 1 per hour from thousands generated by traditional methods. We note that this evaluation covers only flagged events, and false negatives cannot be estimated from the current data; findings should therefore be interpreted as a practical deployment study offering insights into real-world constraints rather than a fully validated detection system. We discuss these limitations and the requirements for extending the approach to other cloud environments as future work.