TY - GEN
T1 - Cloudy with a Chance of Anomalies
T2 - 23rd IEEE Consumer Communications and Networking Conference, CCNC 2026
AU - Marbel, Revital
AU - Cohen, Yanir
AU - Dubin, Ran
AU - Dvir, Amit
AU - Hajaj, Chen
N1 - Publisher Copyright:
© 2026 IEEE.
PY - 2026
Y1 - 2026
N2 - In today's digital landscape, ensuring the security of cloud environments is critical for organizational resilience, growth, and operational efficiency. As cloud services become more prevalent, so do sophisticated attacks targeting cloud users, making early detection essential. This paper introduces a novel time-based embedding approach for Cloud Services Graph-based Anomaly Detection (CS-GAD) that leverages a Graph Neural Network (GNN) to detect anomalous user behavior. We propose a dynamic tripartite graph to model interactions among users, actions, and cloud services over time. Using behavioral patterns, our GNN generates user embeddings to enable early detection of anomalies. We evaluate this approach on a novel dataset simulating five real-world attacks: cryptojacking, billing abuse, lateral movement, monitor exploitation, and service targeting. The dataset comprises 107,116 Application Programming Interface (API) calls over 32 days, tracking 79 AWS services, with attacks embedded within legitimate cloud traffic. Our results demonstrate that the proposed method achieves a lower false positive rate and higher detection accuracy than a prevailing method, as evidenced by improved accuracy, precision, recall, and F1-score.
AB - In today's digital landscape, ensuring the security of cloud environments is critical for organizational resilience, growth, and operational efficiency. As cloud services become more prevalent, so do sophisticated attacks targeting cloud users, making early detection essential. This paper introduces a novel time-based embedding approach for Cloud Services Graph-based Anomaly Detection (CS-GAD) that leverages a Graph Neural Network (GNN) to detect anomalous user behavior. We propose a dynamic tripartite graph to model interactions among users, actions, and cloud services over time. Using behavioral patterns, our GNN generates user embeddings to enable early detection of anomalies. We evaluate this approach on a novel dataset simulating five real-world attacks: cryptojacking, billing abuse, lateral movement, monitor exploitation, and service targeting. The dataset comprises 107,116 Application Programming Interface (API) calls over 32 days, tracking 79 AWS services, with attacks embedded within legitimate cloud traffic. Our results demonstrate that the proposed method achieves a lower false positive rate and higher detection accuracy than a prevailing method, as evidenced by improved accuracy, precision, recall, and F1-score.
KW - Anomalies
KW - Cloud
KW - Cyber Attacks
KW - GNN
KW - neural networks
UR - https://www.scopus.com/pages/publications/105034070962
U2 - 10.1109/CCNC65079.2026.11366510
DO - 10.1109/CCNC65079.2026.11366510
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:105034070962
T3 - Proceedings - IEEE Consumer Communications and Networking Conference, CCNC
BT - 2026 IEEE 23rd Consumer Communications and Networking Conference, CCNC 2026
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 9 January 2026 through 12 January 2026
ER -