Online unsupervised anomaly detection in large information systems using copula theory

We present in this paper a method which allows to extract and isolate atypical events from a large collection of data (we will call them anomalies in the rest of the paper). In Cybersecurity, one of the main problem we are facing deals with the detection of unknown patterns of attack spread within increasingly large data sources such as log files. Due to the fact that it is often very difficult to obtain a set of labelled data on which we can learn and consequently infer a model, we will focus in this paper on an approach which permits to learn a model using only unlabeled data while only making very few hypotheses. Thanks to the copula theory, we will show that it is a tractable task and exhibit very good performance on one the most common dataset used in the cybersecurity domain.