References and prior art
OpenALBA builds on established standards and research in anomaly detection, behavioral analytics, and security monitoring.
Standards alignment
| Standard | Version | Alignment |
|---|---|---|
| MITRE ATT&CK | v14.0 | Detection patterns mapped to technique IDs |
| NIST SP 800-53 | Rev. 5 | SI-4 (System Monitoring) controls |
| NIST Cybersecurity Framework | 2.0 | DE.AE (Anomalies and Events) |
| OpenTelemetry Semantic Conventions | 1.24 | Signal attribute definitions |
| ISO/IEC 27001 | 2022 | A.12.4 (Logging and Monitoring) |
Research foundations
OpenALBA's methodology draws from peer-reviewed research in anomaly detection, behavioral analytics, and security monitoring.
Anomaly Detection
- Chandola, V., Banerjee, A., & Kumar, V. (2009). “Anomaly Detection: A Survey.” ACM Computing Surveys, 41(3), 1-58.
- Liu, F.T., Ting, K.M., & Zhou, Z.H. (2008). “Isolation Forest.” IEEE International Conference on Data Mining, 413-422.
- Aggarwal, C.C. (2017). “Outlier Analysis (2nd ed.).” Springer.
User and Entity Behavior Analytics
- Sapegin, A., et al. (2017). “Poisson-based Anomaly Detection for Identifying Malicious User Behaviour.” CRITIS 2017.
- Rashid, T., et al. (2016). “A New Take on Detecting Insider Threats.” ACM CCS Workshop on Managing Insider Security Threats.
Time Series Analysis
- Cleveland, R.B., et al. (1990). “STL: A Seasonal-Trend Decomposition Procedure Based on Loess.” Journal of Official Statistics, 6, 3-73.
Industry prior art
OpenALBA acknowledges and builds upon approaches used in production systems:
| System | Relevant Concepts |
|---|---|
| Microsoft Sentinel | Investigation Priority Score, peer group analysis |
| Splunk UBA | Three-tier threat modeling, behavioral baselines |
| Exabeam | Session-based risk scoring, rarity calculations |
| Elastic Security | Anomaly detection jobs, ML-based behavioral analysis |
Contributing research
If you have published research relevant to behavioral analytics that should be referenced, please open an issue or submit a pull request.